In this week’s chat, the malware research team looks at the lengths malware authors go to in order to evade detection — from employing common malware obfuscation techniques to using more sophisticated tactics like nonce-based encryption.
There’s all sorts of trickery malware uses to gain execution, but some of the more sophisticated malware also goes to great lengths to hide itself once there.
We often see a couple of types of common obfuscation techniques:
Can someone walk us through the more common types? And has anyone noticed anything different recently that caught their eye?
forrest: We’ve been seeing the classic obfuscation methods for a while, the standard macro script mangling through renaming variables, adding garbage logic, using abnormal/random formatting and so forth. Some examples of this are the droppers for Dridex, Bartallex, and, more recently, even some ransomware.
Hiding from the end user is something that has been going on for decades. It usually takes the form of using harmless or common looking names for malicious files and processes (a malicious process named svchost.exe is a classic example).
ryan: The old Jedi Mind trick (this is not the svchost.exe you are looking for).
forrest: In more advanced cases, rootkits are also used to hide processes, registry keys, and files altogether from the user.
In terms of something different, there’s also recently been a couple of families moving towards a more sophisticated approach of using nonce-based (or specifically timed) encryption methods to prevent analysis by researchers.
So, going back to the common obfuscation types, I think we could add “Hiding from common auto-analysis software” (ex: Cuckoo, which is used by security companies to identify and classify malware) to the list.
matt: As for hiding from security companies, that can also be pretty straightforward. By just iterating through the process or service list, you can detect whether or not certain security products are running and exit out.
ryan: Although if malware wants to exit just because some software is loaded I will declare victory — the simplest form of protection if you ask me.
forrest: Editing things like the hosts file in Windows to prevent access to common antivirus sites is a classic example of a way malware can hide from security companies. In some cases (for example, Conficker), it will go so far as to have a thoroughly researched map of IP addresses of known security companies and honeypots, so that these systems cannot easily obtain samples of the worm.
ryan: Editing the hosts file is an oldie but a goodie. Does anyone even know where that is installed anymore? Or that there is such a thing? DNS is magic, isn’t it?
forrest: I think the method of nonce or timed encryption-key-based malware I mentioned earlier can also fall in to the category of hiding from security companies, since in essence what they are doing is obfuscating themselves so that security companies and researchers cannot do anything useful with a sample of the malware outside of a certain time range (a few hours after it is released in the case of some Locky variants).
They are sacrificing increased infection rates for stealth from security companies and researchers by not allowing their code to be run except in circumstances of their choosing.
ryan: Timing is used to avoid sandbox detection, as well. Just sleep for a period of time (even an hour is sufficient).
forrest: Another example of some malware using this nonce-based obfuscation approach to deterring researchers is Furtim.
Other methods that can be used to deter security companies and researchers are anti-analysis tricks in the code like debugger checks and checks for commonly-installed security software.
A good example of some malware using quite a few of these tricks in conjunction is Shifu, which was not only scrambled and mutated on virtually every level of its code (huge amounts of garbage logic and even a randomly generated icon), but would also go so far as to kill instances of Python running on the local system to try to shut down analysis from software such as Cuckoo.
Photo by Anna Levinzon
ryan: @forrest you mentioned rootkits. Hasn’t driver signing raised the bar?
forrest: Yes, in fact, rootkits are much less prevalent now than they were in the days of 32-bit Windows XP, when you could easily load an arbitrary piece of code into ring0 with admin privileges and have it do virtually anything, including modifying other drivers in memory, hooking sensitive system calls, even modifying important kernel objects to do things like hide processes.
ryan: Do you remember Turla (aka Snake aka Uroburos)? I always fear these things fall off the radar, but lest we forget, we’re often only one vulnerability away from running in ring 0, and once that happens, all bets are off.
matt: If you could inject yourself into a signed driver, couldn’t you then act as that driver and run in ring 0? So you’re only as good as the protection of your signed drivers?
ryan: Run driverquery from the commandline to get a sense of the attack surface.
forrest: Since the driver is signed, it cannot be changed at all in disk and still be allowed by Windows to load (unless there was already malicious code in the kernel, interfering with the signing checks).
ryan: One of the more interesting things about Turla, though, was it took the steps of installing a signed driver with a known vulnerability then exploited the driver to disable driver signing and install another driver. Then it bypassed PatchGuard to install kernel hooks, bypassing already installed kernel-based security software. It went undiscovered for almost three years.
forrest: That’s true. On the cutting edge, there are still some advanced malware families that include rootkit/bootkit components, but they are definitely fewer and far between than they used to be. Still, they remain a threat, and these mechanisms put in place by Microsoft can’t fully protect the OS.
ryan: I think the reason you don’t see as many is because, in most cases, it’s not necessary. I mean, as a malware author, why go through all the hoops when people still load random macros?
forrest: Right. So much development and effort has to go into building a stable bootkit or stealing a trusted cert. Considering what is gained it isn’t a very practical, cost-effective tool for the average cybercriminal. For a government on the other hand, or in an advanced targeted attack, I can see why it would be included.
Photo by Holly Victoria Norval
ryan: No point in going through a whole lot of hoops to hide yourself if you are going to throw up a ransomware screen with a Bitcoin address.
forrest: Or, like in the case of Locky and Furtim, you will only be active in a very controlled/timed way, anyways. No sense in installing a rootkit to hide yourself for just a couple hours.
matt: Speaking of a ransomware screen, a technique some ransomware uses to hide/protect itself from users is to hide or kill instances of task manager, web browsers, etc. in order to prevent users from doing anything other than pay the ransom.
forrest: We’ve seen that quite a bit. Enumerating all of the window titles on the system and repeatedly hiding any that have names corresponding to task manager, the windows start menu, web browsers, etc.
ryan: Have you ever seen the screens that make an alarm sound and lock the browser saying, “You have a virus, do you want to leave the page?” There is an “Okay” and a “Cancel” button and you can’t click either. It gives you a number to call for tech support. That’s a good one.
I haven’t seen that coupled with hiding task manager but that would up the ante. Get you to install a legitimate remote access tool…
forrest: You’d have to own your own phone service so you could collect the money for every minute a victim spends on your help line (which a lot of them seem to be doing), but, yes, its definitely clever.
ryan: It’s interesting obfuscation priorities have shifted with the rise of ransomware, which still needs to hide from security software to gain execution, but once it gets execution no point in hiding.
matt: Exactly. Once executed and infection has successfully completed, they have to show themselves in order to get paid.
forrest: In a lot of ways I think it is fair to say ransomware can be very “simple” fundamentally, compared to a banking trojan for example. The amount of programing skill needed to pull off the attack is much lower, as is the amount of effort/expertise needed to monetize the attack.
ryan: Ransomware is the new spam. It’s not a slow campaign of data exfiltration. It’s blast away and get as many clicks as you can. Rinse and repeat.
The stealth involved is more about avoiding security detection and reverse engineering.
forrest: Yes, exactly. The obfuscation ransomware seems most focused on is to hide from analysis in Cuckoo and throw reverse engineers off. As opposed to elaborate rootkit methods, code mutation (although there is still a bit of that in the crypters they use), or things of that nature.
Photo by Janet Lackey
ryan: @forrest, You’ve done some work analyzing crypters. Can you briefly describe what you mean?
forrest: Sure. The purpose behind crypters is for malware to be able to avoid the standard signature-based approach of antivirus detection by wrapping itself in a protective shell of encryption. The malware inside the shell hasn’t necessarily changed, but the shell can be constantly modified to look different and throw off analysis/detection.
Inside most crypters there will be layers of garbage code (logic which does nothing but is designed to look benign) intermixed with anti-analysis tricks like timing attacks, anti-debugging checks, anti-emulation attacks, and other forms of obfuscation.
The purpose of the crypter is to act as a decryptor/launchpad for the encrypted malware executable it has stored within itself, so that it never needs to touch the hard drive in its full form.
ryan: The crypter is the trojan horse. “No malware here, just a wooden horse.” So just how many different crypters are there?
forrest: Hundreds if not more have been created, but because they are all different and constantly change themselves, the number of possible forms they can take is infinite.
ryan: So when people talk about polymorphic malware is this really malware that is using some type of crypter?
forrest: In some cases, but not always. Sometimes the malware has its own way of changing itself but this is less common. More often than not, malware that appears to be polymorphic is just normal unchanging malware wrapped in a polymorphic crypter.
ryan: It all goes back to, two men enter a bank, one is looking to withdraw some money, the other is looking to rob the bank. The question is, which one is the robber? You don’t know until they pull out the gun.
Time to wrap up this edition of our Malware Slack Chat. As always, we take requests (if you have a topic you want to see us cover just shoot a note to @barklyprotects).
Have a question or topic you want the malware research team to cover? Let us know on Twitter @barklyprotects.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.