![]() An excellent example of this tactic is seen in the Dyre/Dyreza banking malware. According to research published by Alex Chiu & Angel Villegas, two security analysts for Talos Group, older versions of Dyre hardcoded their URLs when communicating with their command and control (C&C) servers. However, in an attempt to evade malware blacklists, the creators of Dyre have since begun changing the malware’s domain on a daily basis. To adapt to this constant change, newer versions of Dyre now employ a domain generation algorithm (DGA), which computes where the C&C servers will be at any given time. This modification increases the difficulty of blocking traffic associated with the malware. Timing-based evasion is the third most common technique observed by Lastline. This type of behavior is used by malware to run at certain times or following certain actions taken by the user. This includes opening a window following initial infection and waiting for the user to click, activating only after the system reboots, and running before or after specific dates. Black POS malware, one of the most pervasive types of POS malware observed in the wild today, exhibits timing-based evasion to the extent that some samples, especially newer variants, check the system time on the infected machine against the time hardcoded into the executable. This feature allows Black POS to execute during certain periods while remaining dormant the rest of the time. The fourth and final most common evasion technique is obfuscating internal data. Malware that implement this tactic might use any number of tricks to run code that cannot be detected by the analysis system. ROM, a new variant of the Backoff POS malware, is well-versed in this method of evasion to the extent that it replaces API names with the hashed values, uses a table of hashed values to ignore certain processes from being parsed, and communicates with the C&C server using port 443, which effectively encrypts the traffic. All three of these modifications make it difficult for systems to effectively identify ROM’s malicious nature. It is important to note that most of the malware analyzed by Lastline blend these four behaviors together. ![]() In illustration of this fact, a majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection and by creating. exe files that masquerade as system files. At the same time, Backoff’s encryption modification hampers detection via automated tools, and Dyre analyzes its runtime environment (i.e. ![]() where it’s executing from) in order to determine what it should do next, which includes installing as the “googleupdate” service if it is executing from the Windows directory.Ĭlearly, today’s malware is becoming more sophisticated with respect to the use of evasive behavior. But there is still hope for the information security community.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |