Malware Evasion

Berman Enconado , Security Researcher , NSS Labs

Jayendra Pathak , Chief Architect , NSS Labs

This paper attempts to explore the evasion technique malware authors have been using.Malware evasion has long been a technique used to avoid detection. It has existed ever since the first virus were created. There are many forms of malware evasion, and most fall on static and/or dynamic category. The development of evasion tactics over the years has evolved along with the technology that were available at the time of its conception. Along with the development of new systems to combat the growing malware threat, new evasion techniques surface.

Sandbox, to put simply is a system capable of emulating code of a target program, allows for analysis and mitigation of potential harmful behavior and thus has become one of the fundamental piece of security solutions. But its popularity gave rise to the presence of evasive code. Malware that can detect if it is running inside a sandbox, from simple timing based attacks, the industry has seen complex malware capable of identifying human interaction on input devices such as the mouse and keyboard.

Virtualized OS offers the ability to run multiple OS within a host OS. The system allows for faster and efficient way of analyzing of malware samples. VMs can save valuable time by quickly reverting to its original snapshot and permits the identification of a programs behavior by running it within a preconfigured environment. Using in conjunction with other analysis tools, it has proven to be a powerful security arsenal on determining potential malicious behavior. As its usage grew, so along the techniques of detecting and subverting execution on virtualized environment. The tactics developed from checking of the existence of files, processes and other endpoint artifacts to usage of undocumented assembly instructions.

Knowing the past, present as well as the foreseeing the future evasion techniques is one of the key factors in fighting the evolving malware threat.

This presentation aims to inform security researchers as well as developers on the current evasion tactics out there in the wild. The paper will veer away from known evasion tactics that are already published and discussed such as Pafish (and similar), and focus on new found technologies that were used and can potentially be used by malicious software.

Jayendra Pathak

Jayendra Pathak, Chief Architect and Head of Offensive research, brings a wealth of expertise in malware, phishing, and exploit analysis. Jayendra and his team maintain a comprehensive database of threats prevalent in the wild and have built an automated live testing infrastructure that runs with minimal supervision. Prior to NSS Labs, he was a research assistant at University of Houston where he was pursuing his MS degree. A native of Nepal, Jayendra worked as a computer engineer for the government of Nepal for 4 years prior to coming to United States. A true researcher, Jayendra’s hobby is to scan the Internet for?threats and try to determine how those threats affect users. He has a BE in computer engineering from Nepal Engineering College and an MS?in Management Information System from University of Houston.