Video Screencast Help
Security Response

Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems

Created: 26 Oct 2012 11:26:15 GMT • Updated: 23 Jan 2014 18:11:57 GMT • Translations available: 日本語
Hiroshi Shinotsuka's picture
+1 1 Vote
Login to vote

According to the Symantec Internet Security Threat Report (ISTR), 400 million new variants of malware were created in 2011, which is an average of 33 million new variants of malware a month, or an average of one million new variants a day.

It is impossible to manually analyze such a large number of sample files, so it is therefore necessary to use an automated threat analysis system to analyze sample behavior and prioritize the files that virus definitions should be created for.

By searching the Web, you can find services that execute files in a sandbox and show the behavior of those files, thus enabling you to see what a suspicious file does before you execute it on your computer.

Both systems execute the requested files in a sandbox and log system behavior.

If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may not be able to figure out that it is malicious. Therefore, both malware and packer program authors attempt to utilize techniques to hide malicious files from automated threat analysis systems.

For a long time, malware has been able to detect the environment it is running in and hide itself from automated threat analysis systems. The list below is the measures malware takes avoid being detected by dynamic analyzer systems:

  • Checks a certain registry entry and stops if it detects that it is running in a virtual environment.
  • Checks video and mouse drivers and stops if it detects that it is running in a virtual environment.
  • Enumerates the system service list and stops if it detects that it is running in a virtual environment.
  • Executes special assembler code and stops if it detects that it is running in a virtual environment.
  • Checks a certain communication port and stops if it detects that it is running in a virtual environment.
  • Checks a certain process name and stops if it detects that it is being monitored.

If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program. It is also able to stop itself if it discovers a certain process name and detects that someone is monitoring it. So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware.

Malware authors have recently attempted to use other approaches to fool automated threat analysis systems as well. Two of those techniques are explained below.

Figure 1. Malware using the mouse to hide itself

A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system. The SetWindowsHookExA API function shown in the image above installs the _main_routine subroutine to monitor mouse message traffic so that when the malware receives messages from the mouse, that is, if it is moved or buttons clicked, it runs. As a person usually uses a mouse when using Windows, the _main_routine subroutine works fine. But as an automated threat analysis system doesn't use a mouse, the code remains dormant so an automated threat analysis system may not detect it as malware.

Figure 2. Malware using "sleep" to evade dynamic analyzer systems

When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine, as shown in the image above. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.

In the past, malware authors used very difficult techniques to detect virtual environments. As such, they may have needed specialized skills, such as assembler code writing skills, knowledge of virtual machines, and knowledge of CPUs and memory management.

However, the techniques described in this blog are not technical and hence malware authors these days do not need technical skills to hide their creations from automated threat analysis systems. Furthermore, they are always researching and testing new ideas in order to fool automated threat analysis systems.

Symantec engineers are always on the lookout for new techniques that malware and packer program authors may employ, such as those described in this blog. We recommend that users do not execute suspicious files or applications, and ensure that your computer operating system and antivirus software are always kept up to date.