Researcher details how malware gives AV the slip

'They're coming! Everyone back to your places!'

Remote control for virtualized desktops

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators.

These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers.

While malware writers could create a bit of noise when infecting victim machines -- as long as this did not trip antivirus -- they had to be positively silent when their wares appeared on white hat researcher machines.

If researchers could determine a malware's tricks, it could destroy the resources invested by VXers to produce stealthy attack methods. Therefore most wares tried hard to appear benign, or to mask their command and control servers (C&C) and methods of attack.

The tactics concealed the C&C addresses or may concoct fake ones, while others would blacklist IP addresses when malware detected itself running on a researchers' machine.

Wyke of Sophos found that the Andromeda downloader concealed its C&Cs from researchers while the Ponmocup hid the servers to which it shipped off stolen data and received updates to further hack victims, Wyke found.

Shylock malware hiding

Shylock malware hiding

The Shylock banking trojan used its real C&C address only when running on legitimate victim machines and created bluffed data in order to con any researcher wanting to observe the malware in virtual environments.

Simda Trojan maintained a black book of known malware researchers which was populated whenever a researcher tripped up and revealed themselves to it.

Wyke was one of a group of malware researchers who – either as part of professional roles or, more commonly, as a hobby – pried and plucked malware and shared samples to uncover the latest evasion and cloaking measures VXers employed.

In other research also to be presented at the Virus Bulletin 2014 conference in Seattle next month, a trio of researchers from the University of California developed a hybrid analysis system to help malware probers to avoid detection.

The BareCloud framework analysed malware across a combination of bare-metal and virtualised environments in a bid to balance speed of bare-metal analysis with the hopes that one of the emulated platforms would be unknown to the malware.

The developers said it could detect attempts by malware to make persistent changes to systems or contact command and control servers - feats the wares would need to pull of in order to be damaging. ®

Intelligent flash storage arrays


10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.