As my colleague Zheng Bu and I explain in an upcoming presentation at the Black Hat USA conference, malware is using a variety of checks to determine whether it is running in a sandbox and “play dead” until it reaches a live target. These checks fall into several categories:
- Human interaction — mouse clicks and dialog boxes
- Configuration-specific — sleep calls, time triggers, and process hiding
- Environment-specific — version, embedded iframes, and DLL loaders
- VMware-specific — system-service lists, unique files, and the VMX port
Here are a few recent examples we have found.
Khelios
The Khelios botnet, declared dead in 2011, has since resurrected. To evade detection within file-based sandboxes, one of the
new Khelios samples (also known as the Trojan
Nap) found in 2013, calls the
SleepEx() API with a 10-minute time out. Because most sandboxes are set to execute a sample for a short time frame (usually seconds), the Nap sample simply delays malicious activity beyond the monitored time period of most sandboxes to evade detection. The sample called to the undocumented Windows API function
NtDelayExecution() to perform an extended sleep call.
Poison Ivy
The infamous remote-access tool
Poison Ivy, which has been used extensively in targeted attacks, appears to have not been significantly updated since 2008. But a 2012 sample of the Trojan
UpClicker, which is used as a wrapper around Poison IVY, employs the
SetWindowsHookEX() API function to hide its malicious activity. By sending 0EH as the parameter to the function, the malicious code is activated only when the left mouse button is clicked and released. Because most file-based sandboxes do not mimic human interaction, this malware remains dormant during analysis and evades detection.
PushDo
PushDo, yet another infamous malware example, checks the build number of the Windows OS. Once identified, it finds a pointer to the
PspCreateProcessNotify() API routine, to deregister all existing process callbacks — including any of the sandbox’s monitoring modules. Once all callbacks are deregistered, the malware creates and deletes processes without being detected.
Hastati
Trojan
Hastati was designed to wipe out all the hard drives of a computer in Korea. It used the
GetLocalTime() API function to activate itself at 2 PM on March 20, 2013. If the sample is monitored in a file-based sandbox before that time and date, it does not execute, evading detection.
UpClicker, PushDo, and Nap are just some of the resurrected advanced malware that use evasion techniques against file-based sandboxes.
In first part of our Black Hat presentation, we provide an in-depth, technical analysis of these evasion methods, which bypass sandboxes commonly used by the anti-virus industry. The talk also compares the effectiveness of three file-based sandboxes in detecting these tactics. And we will provide a live demonstration of some of these anti-analysis techniques operating in the wild.
/QUOTE]
Wilders thread:
http://www.wilderssecurity.com/showthread.php?t=359785
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
