Researcher details how malware gives AV the slip

'They're coming! Everyone back to your places!'

Protecting against web application threats using SSL

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators.

These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers.

While malware writers could create a bit of noise when infecting victim machines -- as long as this did not trip antivirus -- they had to be positively silent when their wares appeared on white hat researcher machines.

If researchers could determine a malware's tricks, it could destroy the resources invested by VXers to produce stealthy attack methods. Therefore most wares tried hard to appear benign, or to mask their command and control servers (C&C) and methods of attack.

The tactics concealed the C&C addresses or may concoct fake ones, while others would blacklist IP addresses when malware detected itself running on a researchers' machine.

Wyke of Sophos found that the Andromeda downloader concealed its C&Cs from researchers while the Ponmocup hid the servers to which it shipped off stolen data and received updates to further hack victims, Wyke found.

Shylock malware hiding

Shylock malware hiding

The Shylock banking trojan used its real C&C address only when running on legitimate victim machines and created bluffed data in order to con any researcher wanting to observe the malware in virtual environments.

Simda Trojan maintained a black book of known malware researchers which was populated whenever a researcher tripped up and revealed themselves to it.

Wyke was one of a group of malware researchers who – either as part of professional roles or, more commonly, as a hobby – pried and plucked malware and shared samples to uncover the latest evasion and cloaking measures VXers employed.

In other research also to be presented at the Virus Bulletin 2014 conference in Seattle next month, a trio of researchers from the University of California developed a hybrid analysis system to help malware probers to avoid detection.

The BareCloud framework analysed malware across a combination of bare-metal and virtualised environments in a bid to balance speed of bare-metal analysis with the hopes that one of the emulated platforms would be unknown to the malware.

The developers said it could detect attempts by malware to make persistent changes to systems or contact command and control servers - feats the wares would need to pull of in order to be damaging. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.