Malware – The game of cat and mouse

June 17, 2013

Malware writers and malware researchers play a constant game of cat and mouse - one where the former consistently have the upper hand.

While there is some overlap, malware evasion techniques can be broadly categorised into 3 main areas with 3 main goals:

  • Egress bypass (Exfiltrate) – bypass controls to communicate to an external command and control (C&C) server, to pull new commands and push data
  • Researcher bypass (Stall) – slow down methods to reverse engineer and defend against malware, extending the window where the malware can exist in the wild
  • User bypass (Persist) – bypass user based controls such as anti-virus (AV), operating system (OS) controls or generally evading the user to avoid detection

These categories can be broken down into specific sub-components:

Egress bypass (Exfiltrate)

  • Script fragmentation – request commands in small chunks as opposed to one larger request
  • HTTP pull – pulling a resource from some innocent domain – such as a legitimate image file which contains an encoded payload
  • HTTP DNS resolution – resolving DNS information via some http service – such as extracting no-ip domain information from some HTTP based DNS resolver
  • Peer-2-Peer (P2P) push/pull – Communicating via an inter-malware network using trust algorithms to push/pull commands and data
  • Encrypted/obfuscated protocols – Using either standardised or proprietary encryption methods to communicate via a secure channel
  • Hooking Application Programming Interface (API) calls – injecting into trusted processes such as web browsers to make requests

Researcher bypass (Stall)

  • Anti-Virtual Machine (VM)/debugging/disassembly techniques – applying techniques which cause the malware to change its behaviour in a VM or refuse to open in a debugger
  • Domain Generation Algorithms (DGA) with misleading call backs – utilising a DGA to potentially poll 10k domains across 15 top level domains (TLDs) where only one is required to give valid information or others reply with deceiving data
  • Obfuscated code – standard stalling technique

User bypass (Persist)

  • Server/Client polymorphic algorithms to bypass signatures – using polymorphic algorithms to mutate code areas to bypass AV signatures and heuristics
  • Direct hardware access – bypass, change or piggyback OS controls by modifying the behaviour of core parts of the OS, particularly aiming to infect into kernel mode (Ring 0)
  • Sleeping – once infecting a machine sleeping for some predetermined amount of time
  • Man in the Browser (MitB)/Web Injects/Session Redirection – Injecting javascript into legitimate pages to discretely steal session information from trusted websites
  • Digitally Signed – using legitimate stolen encryption certificates to sign malware as whitelisted/trusted software