Diamonds are girl’s best friend, prime numbers are mathematician’s best friend and automated analysis systems (AAS) are AV researcher’s best friend. Unfortunately, this fact is known by malware authors and hence techniques to evade automated analysis system are not only becoming an integral part of APT, but also many infamous malwares have resurrected and are using techniques to bypass the automated analysis system to stay under the radar.
The infamous Khelios botnet was claimed to be dead in 2011 and got resurrected . To evade the automated analysis system one of the sample aka Trojan Nap found in 2013, was employing SleepEx() API with a 10 minutes time out. Since automated analysis systems are set to execute a sample within a given time frame ,which is in seconds, by employing an extended sleep call, it could prevent an AAS from capturing its behavior. The sample also made a call to the undocumented API NtDelayExecution() for performing an extended sleep calls.
As per the report from Mandiant, infamous RAT Poison IVY has extensively been used in the targeted attacks and appeared to have been abandoned in 2008. Trojan UpClicker, reported in December 2012, a wrapper around Poison IVY, employs SetWindowsHookEX() API to hide its malicious activity. By sending 0EH as parameter to the function, the malicious code only gets activated when the left mouse button is clicked and released. Since in AAS there is no human interaction, the code remains dormant bypassing the AAS.
PushDo, yet another infamous malware, checks the build number of windows OS. Once it has determined the build number of windows OS. It finds a pointer to PspCreateProcessNotify() API routine to deregister all the callbacks. Once the callbacks have been deregistered, the malware can create or delete processes, bypassing process monitoring module of AAS.
Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used GetLocalTime() API to activate itself on March 20th 2013 at 2:00 P.M. If the sample is executed in an AAS before the 20th March 2013, it will not get executed and evades AAS.
UpClicker, PushDo, Hastati, Nap are some of the resurrected advanced malware and/or APT which are using anti evasion techniques to evade detections from AAS.
In first part of the presentation we provide an exhaustive list of techniques, API’s and the code segments from the APT and active malware, which are being used to bypass the AAS. We will also have live demonstration of some of the anti-analysis techniques, which have emerged in the recent past.
In the next part of the presentation we provide an in-depth, technical analysis of the Automated Analysis System technologies available today focusing on computer security aspect. It will provide a comparison framework for different technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we also explore each of the major commercially available automated analysis system flavors and evaluate their ability to stand against these evasions. We will present an architectural decomposition of automated analysis systems to highlight its advantages and limitations, and historical view on how fast Anti-AAS techniques have been evolved so rapidly recently. This will kick start the conversation on how new vectors that are likely to be used by sophisticated malware to actively target AAS in the future.
Abhishek Singh is a renowned security researcher, currently employed at FireEye. His day to day responsibilities involves analysis of advanced malware, APTs and architecting mitigating solutions. His research is often referenced in national and international media. He has authored over 50+ research papers, books and patents in the areas of Vulnerability Analysis, Reverse Engineering, Malware Analysis, Intrusion Prevention System. Some of the papers and patents are fundamental to Intrusion Prevention System, vulnerability research, binary analysis and had made an impact by preventing exploitation by unknown malware and undisclosed vulnerabilities. Before joining FireEye, he was employed with Microsoft's Malware Protection Center where some of his key accomplishments include: * Lead the development of 50+ protocol decoders for Threat Management Gateway and host based IPS. * Analysis of 0 day vulnerabilities reported in Microsoft’s product. Developed various patent pending algorithms for faster analysis of binaries. * Worldwide patent pending architectural changes in IPS capable of preventing many zero day vulnerabilities before they were reported. * He was also one of the initial technical members of the Third Brigade Security Center, now part of Trend Micro. Abhishek, holds a Master of Science in Information Security and a Master of Science in Computer Science, both from the College of Computing, Georgia Institute of Technology and a B.Tech. in Electrical Engineering from Indian Institute of Technology, BHU, India.
Currently heading the security research in FireEye, Zheng Bu is a security architect focus on Intrusion Prevention, Malware, Botnet and APTs. He is a runner, hiker and a badminton player.