Tricks of the malware trade

Pieterse says that one of the most common techniques is simple obfuscation, making data unreadable or hard to understand, and highlighted XOR as the most common method.

'Exclusive or Operation' is a simple cipher, a text string that can be encrypted by applying the XOR operator to every character using a given key. Then there's base64 encoding which uses a 64 character alphabet that produces output which is very difficult to read but very easy to decode.

By changing the order of the characters in that base64 alphabet the decoding becomes a lot harder and the malware authors know this. Runtime packers are also used, achieved by compressing the original file and thus making the original code and data unreadable. "When the malware gets executed at runtime" Pieterse explains "a wrapper program will decompress the program into memory." So only once it is loaded in memory then the original malware could be seen.

Zulfikar Ramzan, chief scientist within the cloud technology group at Sourcefire, has some more techniques to add to the list, starting with sleep and time triggers.

"In this case, the malware is designed to simply sleep or otherwise perform benign actions for some initial period of time, like five or 10 minutes," he says. "Only after this point do the actual nefarious actions begin."

Along similar lines, some malware will have a built in trigger in which malicious actions are only performed on or after a specific time and date (or after a specific trigger event). A typical sandbox can only afford to analyse malware for a short period of time - either because it has a lot of malware that still needs to be analyzed or because a user might be waiting for the analysis to complete before they can proceed.

"If no malicious behaviours are observed during this time," Ramzan warns "then the malware will evade the sandbox is detection capabilities."

Then there are the human detection techniques. A sandboxed environment is an artificial environment in which a suspected piece of malware is detonated and observed in an automated fashion. "In other words" Ramzan says "there is no actual human being using the system." As a result, to detect the presence of a sandbox, it suffices for malware authors to detect whether an actual human being is actively using the system.

"A simple way to see if a real user is on the system is by having the malware monitor the system on which it is running for the presence of mouse clicks" Ramzan advises. "The premise is that real users will almost certainly use their mouse, while you do not typically see mouse clicks in an automated environment."

If the malware detects the presence of a human being, it will continue to operate as normal but if no human presence is detected, the malware will conclude that it is being executed in a sandbox environment and the malware will purposefully avoid any malicious behaviours to evade detection.

Ramzan then turns his attention to implementation-specific techniques designed to bypass specific sandbox implementations. "No matter what sandbox technology you use, there will always be tell-tale signs of its presence," he says. "The presence of specific processes executing on the system, specific files in specific locations, specific registry keys, and so on."

Malware can be designed to look for these indicators and if it finds them, the malware can behave non-maliciously.

The truth of the matter is that malware authors are always keenly aware of detection methods and will employ whatever strategies they can to circumvent them.

Indeed, Dan Brown, director of threat research at Bit9, insists that the methods outlined by FireEye represent a small subset of analysis avoidance methods.

"No single existing tool is sufficient for comprehensive attack detection and attackers will always be able to devise circumvention mechanisms for known anti-evasion techniques," he says. "Automated analysis techniques are improving, but they are not yet (and will likely never be) sufficient to replace human malware analysts."

Cheap suit syndrome?

Does all this knowledge actually benefit the enterprise security team directly?Or doesn't it really matter as long as the security vendors are all over it like a cheap suit?

Jason Hill, lead security researcher at Websense Security Labs, is in no doubt that knowledge of attacker techniques definitely benefits the enterprise security team. "From an organisational or management perspective, knowledge of attacker's techniques can be factored in to choosing appropriate solutions," he says.

"From an operational security perspective, knowing what to look for and knowing how it's done assists in decision making when reviewing or investigating security incidents."

While knowledge is never bad, the business reality is that there will never be enough resources for all threats or potential threats to be investigated manually by the in-house security teams, according to Waite.

"Given this reality, teams need to rely on automated tools to do the grunt-work providing guidance and direction as to where best to manually investigate further," Waite advises.

If vendors providing the automated services are able to identify the obfuscation, the capabilities of the in-house team will be undiminished.

In conclusion

The trouble with security in general, and malware developments in particular, is that every new advancement when it comes to the sophistication of attacks results in yet another hit to the security budget.

"Sometimes new layers of protection will need to be added or new services will be employed," claims Fred Touchette, senior security analyst at AppRiver.

The strain on finances is potentially at bankruptcy levels according to some.

"If all we do is security, then other areas will fail," warns the immediate past president of ISACA London, Sue Milton. "If we don't do enough then the breaches will bring us down."

She continues: "We are between a rock and a hard place." Milton advocates risk-based assessments so that the budget is spent where it can most help, but admits this is a complex and imperfect art and science.

Lisa Myers, a virus hunter at Intego, sums it up for us nicely when she says that the implications for the enterprise are simple. "Don't put all your security budget eggs in one basket," she warns.

Whether it be sandboxes or AV or Firewalls or a box full of magic hammers, Myers insists there are things that others will miss. "If your resources and data are sufficiently valuable that you're dealing with advanced malware and attacks, you should definitely have a security strategy that attacks the problem as overall risk mitigation rather than picking one single technology as a panacea," she concludes.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.