By John Zorabedian
Malware authors are constantly developing new techniques to avoid not just antivirus, but the environments used by security researchers to analyze malware samples.
In a preview of his presentation, James writes at Naked Security that his paper explores several malware families and a variety of techniques used to throw researchers off the trail.
According to James, the use of sandboxing to analyze malware has become invaluable to security researchers, but there are ways for malware to detect that it is running in a Sandbox environment, and exit immediately.
However, “a subset of malware families are more cunning when they detect an analysis environment,” James explains.
James’s paper details the ways several malware families employ a variety of techniques to throw off researchers or otherwise produce erroneous analysis results, including:
- How some families, such as Andromeda, display more benign behavior under a virtual machine than on a real machine
- How Vundo uses decoy command and control addresses to divert attention and potentially induce false positives
- How Simda builds a blacklist of researcher IP addresses
- How Shylock distributes dummy configuration files to send analysts down divergent paths
Our SophosLabs researchers will be presenting several other papers at this year’s conference. You can check out the abstracts on the Virus Bulletin website at these links:
- Evolution of Android exploits from a static analysis tools perspective, by Anna Szalay, and Jagadeesh Chandraiah
- Duping the machine – malware strategies, post sandbox detection, by James Wyke
- Android packer: facing the challenges, building solutions, by Rowland Yu
- Unveiling the kernel: rootkit discovery using selective automated kernel memory differencing, by Ahmed Zaki and Benjamin Humphrey