Malware analysis forms the backbone of proactive cybersecurity, making it possible to develop effective threat detection solutions. This is why malware creators go to great lengths to come up with methods to stall analysis. Let’s look at the most common techniques used in malware for evading analysis.
What is Malware Analysis and Why We Need It
Malware analysis involves gaining an insight into the inner workings of malicious software through an in-depth examination of its components. By analyzing such programs, researchers can extract critical information, including command-and-control (C2) addresses, and use it to craft signatures and other detection mechanisms to prevent their spread.
There are various types of malware analysis tools available to security analysts, including:
- Disassemblers and debuggers for reverse engineering malware by analyzing its binary code and debugging its execution.
- Network protocol analyzers for inspecting network traffic and detecting malicious activity.
- Sandboxes for observing the behavior of suspicious files and links in an isolated environment.
Timing-Based Detection
During analysis, debuggers can introduce execution slowdowns due to breakpoints and other functionalities. Malware exploits this by measuring the execution time of different sets of operations within its code in advance and then comparing them to the actual execution time.
If the actual execution time differs significantly from the expected time, the malware detects an inconsistency and intentionally fails to execute properly to hinder the debugging process.
To counter this technique, security researchers may use stealth debugging techniques, which can monitor the execution of a program without introducing significant overhead. Another approach is to adjust the execution speed to execute operations without triggering the malware’s debug detection.
Hosting Detection
Datacenter IP addresses, a hallmark of many sandboxing solutions, can be a giveaway for malware. By identifying a datacenter IP, the malware recognizes that it is not in a real-world environment and stops execution.
To bypass this obstacle, analysts can leverage services like the ANY.RUN sandbox that offer the option to switch to a residential proxy. This feature replaces the sandbox’s datacenter IP with a standard residential one, masking its true nature and prompting the malware to launch without a problem.
Resource Usage Analysis
Malicious programs can identify virtualized environments by inspecting system resources. When specialists create custom sandboxes for malware analysis, they may unintentionally allocate limited resources, such as RAM and CPU cores. These resource constraints can be a red flag for malware, suggesting it is not operating on an ordinary machine.
Disk and File System Monitoring
Another aspect of the system carefully examined by malware is the disk and file system. Software used by professionals to deploy a virtualized environment may utilize specific directories. Malicious programs perceive them as indicators that the system is virtualized.
Another tell-tale sign of a sandbox is the lack of usage history and logs on the system. To prevent malware from finding out about the virtualized environment, analysts can manually build logs and generate temporary files, as well as install basic software to simulate a “lived-in” system.
Delayed Start and Execution on Reboot
Automated sandboxing solutions allocate a limited time to analysis, usually no more than 30 minutes. Malware can exploit this limitation by simply avoiding launching before a certain time has passed. For instance, malware can include a sleep command in its code that delays its execution.
Similarly, automated sandboxing solutions typically do not offer a reboot option. To take advantage of this, malicious programs use reboot-based evasion. Malware can add itself to the system’s startup routine and execute only after a reboot, bypassing the sandbox analysis.
Location-based Evasion
Since many attacks focus on specific countries, malware may have built-in mechanisms to identify if it is running in a target region. To do this, it may employ IP tracking or language checks.
This once again makes it difficult for analysts to conduct any analysis in a virtualized environment without proper tools, such as VPNs or system locale selection, as malware simply does not start executing.
Evasion tactics pose a significant challenge to analysis, and it is crucial for cybersecurity professionals to understand how to overcome them. The most effective approach involves utilizing advanced analysis tools and staying updated with the newest techniques attackers use to conceal malicious activities.
By Vlad Ananin