Going gets tough: a tale of encounters with novel evasive malware.
Few years ago the aim of malware writers was to hide the malicious activity from the operating system itself, which often at the same time meant a successful evasion of any installed security solution. Sophisticated kernel-mode and boot-level rootkits – such as TDSS, Sinowal or ZeroAccess – were extensively used in the cyber criminal affiliate programs, protecting a wide range of mass-oriented malware, from spyware to banking Trojans. Hiding components were also implemented in the first disclosed nation-state sponsored campaigns: Stuxnet and Duqu.
The development of rootkits and anti-rootkit techniques went neck and neck up until a certain point, at which the growing demand for complexity in detection-avoiding mechanisms clearly surpassed the outcome. Significant improvement of the security level in modern Windows operating systems, together with increasing effectiveness of AV solutions, turned the kernel-space into a highly challenging ground for malware to play. This enforced the malware writers to look for better ways to bypass protections.
Although proof-of-concept ideas demonstrated the possibility of creating potentially undiscoverable virtualization rootkit, due to the overwhelming complexity they never got adopted in-the-wild. But what was the aim of such a complex solutions in the first place? To make malware completely invisible to anything and anybody? Wouldn't it be enough to simply disguise as a benign application in order to pass all security checks?
Existing proactive detection techniques, either manual or automated, rely on the ability to execute code in a sandbox, and that's where the new opportunities lie. By evasive behavior at emulation and analysis time, combined with anti-heuristic and anti-reversing techniques, malware can avoid detection and fool not only sandboxes, scanners and anti-virus applications, but the malware analysts and reverse engineers as well.
Looking at the threat landscape over last 3 years we can notice slow but clear decline in the wide-spread malware protected by rootkits. Similarly, most of the recently discovered APT campaigns do not use any kernel-level components at all. Going user-land in plain sight became a paradigm.
This presentation will analyze some interesting examples of user-mode anti-detection techniques widely used in recent malware, including:
• Sandbox/emulator bypass
• Evasion with the use of window messages
• Evasion with the use of SEH mechanism
Speakers
 |
Marta Janus |