Researcher details how malware gives AV the slip
'They're coming! Everyone back to your places!'
Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators.
These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers.
While malware writers could create a bit of noise when infecting victim machines -- as long as this did not trip antivirus -- they had to be positively silent when their wares appeared on white hat researcher machines.
If researchers could determine a malware's tricks, it could destroy the resources invested by VXers to produce stealthy attack methods. Therefore most wares tried hard to appear benign, or to mask their command and control servers (C&C) and methods of attack.
The tactics concealed the C&C addresses or may concoct fake ones, while others would blacklist IP addresses when malware detected itself running on a researchers' machine.
Wyke of Sophos found that the Andromeda downloader concealed its C&Cs from researchers while the Ponmocup hid the servers to which it shipped off stolen data and received updates to further hack victims, Wyke found.
The Shylock banking trojan used its real C&C address only when running on legitimate victim machines and created bluffed data in order to con any researcher wanting to observe the malware in virtual environments.
Simda Trojan maintained a black book of known malware researchers which was populated whenever a researcher tripped up and revealed themselves to it.
Wyke was one of a group of malware researchers who – either as part of professional roles or, more commonly, as a hobby – pried and plucked malware and shared samples to uncover the latest evasion and cloaking measures VXers employed.
In other research also to be presented at the Virus Bulletin 2014 conference in Seattle next month, a trio of researchers from the University of California developed a hybrid analysis system to help malware probers to avoid detection.
The BareCloud framework analysed malware across a combination of bare-metal and virtualised environments in a bid to balance speed of bare-metal analysis with the hopes that one of the emulated platforms would be unknown to the malware.
The developers said it could detect attempts by malware to make persistent changes to systems or contact command and control servers - feats the wares would need to pull of in order to be damaging. ®