Evasion Techniques: When Malware Suspects It’s Being “Watched”

By Juanjo Galán, Business Strategy at All4Sec, on malware evasion techniques.

Today’s malwares no longer focus on simply causing damage when they are installed on their victims’ computers, but also try to anticipate the suspicion that they might be “watched” by cyber-protection systems.

Sandboxing

When a client senses that an executable may contain malware, it is usually sent to a Sandbox System where a complex system tries to make it run under a controlled environment. An environment where it cannot cause damage, and where it is allowed to collect information on its activity that serves to prepare and protect the rest of the systems against its action patterns.

Usually, these controlled environments, or sandboxes, present some singularities that differentiate them from the usual victim platforms. And it is precisely these peculiarities that malware analyzes before taking the next steps in the process of infecting a computer.

Basically, this is a procedure in which, prior to its execution, the malware checks certain parameters or performs certain queries, the answers to which determine whether it will continue its process or be deactivated, preventing it from being analyzed.

The questions that a malware asks before executing itself

The checks that malware performs before it proceeds with its execution are numerous. Suspicions that they may be under investigation are triggered almost as soon as they start running. It has been proven that they analyze multiple “patterns” with which they try to unmask their opponents. Patterns such as the presence of certain files on the victim’s computer, its IP address, geographical location, the type of CPU it uses, the number and type of processes it has active or even the activation of “debug” mode in its execution to allow data logging. In addition, the malware usually pays attention to runtime control, which is very common in sandbox environments, and verifies whether the computer is being used by a person through, for example, the number of files they have recently opened or their Internet browsing activity (for example, by analyzing whether they have a minimum number of URLs in their browser’s browsing history). To verify, they even check the CPU temperature, whether the computer has a screen or what is its graphic resolution.

In the end, it is a sufficiently extensive set of possibilities that in many cases allow to determine if the execution is taking place in a simulated environment. In this way, and depending on the conclusions of this analysis, the malware may finally remain hibernated, with no activity, waiting for “better times” or simply be deactivated because it has discovered that it is being controlled.

How they go undetected

However, malware can also use other procedures to avoid arousing suspicion and thus manage to run undetected on their victims’ systems. These techniques include a multitude of procedures, although there are some that stand out in particular. The most commonly used ones are listed below:

  • BITS tasks (Background Intelligent Transfer Service) These are tasks that allow files to be transferred in Windows environments and are sometimes used for malware downloads.
  • Modifications of registry files to hide the malware’s own activity.
  • Obfuscating malware through encryption techniques or references to function locations without explicitly using the function name. These are techniques that make it difficult for protection systems to identify malware calls to critical library services.
  • Living off the Land. This consists of loading and executing malware directly in the computer’s memory without affecting the file system. In this way, they avoid leaving traces on the computer. For example, stubs are programs that take previously encrypted malware, decrypt it and load it into memory without going through the file system.
  • Use of encrypted connections to download malware. For example, file downloads using HTTPS.
  • Use of Rundll32.exe. The use of this program allows dynamic libraries to be loaded and executed. However, such use enables the possibility of executing almost anything from JavaScript code to system commands.
  • Use of Regsvr32.exe allows, for example, changing the extension of a file, to make it look like a “jpg” image and yet run as a library.

The above list of options is just a sample of the possibilities that malware has to hide its presence. We will not go into an exhaustive analysis to avoid being tiresome. What is relevant, in any case, is that faced with this type of evasion techniques, cybersecurity professionals must constantly develop mechanisms that allow them to be identified while trying to neutralize them.

This whole process is a challenge that sometimes turns into an unequal struggle in which the “good guys almost always lag behind the creativity of the bad guys” and in which cybersecurity professionals are confronted with cybercriminals through what we could even colloquially call a process of “counter-cyberintelligence” that is often included in the malware itself.