Researcher details how malware gives AV the slip

'They're coming! Everyone back to your places!'

Security for virtualized datacentres

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators.

These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers.

While malware writers could create a bit of noise when infecting victim machines -- as long as this did not trip antivirus -- they had to be positively silent when their wares appeared on white hat researcher machines.

If researchers could determine a malware's tricks, it could destroy the resources invested by VXers to produce stealthy attack methods. Therefore most wares tried hard to appear benign, or to mask their command and control servers (C&C) and methods of attack.

The tactics concealed the C&C addresses or may concoct fake ones, while others would blacklist IP addresses when malware detected itself running on a researchers' machine.

Wyke of Sophos found that the Andromeda downloader concealed its C&Cs from researchers while the Ponmocup hid the servers to which it shipped off stolen data and received updates to further hack victims, Wyke found.

Shylock malware hiding

Shylock malware hiding

The Shylock banking trojan used its real C&C address only when running on legitimate victim machines and created bluffed data in order to con any researcher wanting to observe the malware in virtual environments.

Simda Trojan maintained a black book of known malware researchers which was populated whenever a researcher tripped up and revealed themselves to it.

Wyke was one of a group of malware researchers who – either as part of professional roles or, more commonly, as a hobby – pried and plucked malware and shared samples to uncover the latest evasion and cloaking measures VXers employed.

In other research also to be presented at the Virus Bulletin 2014 conference in Seattle next month, a trio of researchers from the University of California developed a hybrid analysis system to help malware probers to avoid detection.

The BareCloud framework analysed malware across a combination of bare-metal and virtualised environments in a bid to balance speed of bare-metal analysis with the hopes that one of the emulated platforms would be unknown to the malware.

The developers said it could detect attempts by malware to make persistent changes to systems or contact command and control servers - feats the wares would need to pull of in order to be damaging. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.