Hacking Book | Free Online Hacking Learning


malware uses "new" technology to avoid automatic threat analysis system

Posted by chiappelli at 2020-02-27

It's a bit of a headline here. It is estimated that such technology has a long history. Here, according to Symantec, the title of the party once again.

In virus analysis, all kinds of sandboxes, sandboxes and virtual machines should be familiar. Whether it's for manageability, controllability, simulation of multiple systems, etc., using virtual environment to analyze malicious viruses is a very common technique. There are also many systems on the Internet that automatically upload files and use multi antivirus engines to automatically analyze and check virus samples. Now, the virus is aiming at this situation, developing the detection environment. If it is found to be a virtual environment, the automatic inspection environment will not execute, so as to hide itself and avoid detection. Especially the detection of multi engine anti-virus, if the analysis system can be detected and evaded, it is likely to be equivalent to avoiding a large number of anti-virus engine alarms.

The technologies used include:

In a recent introduction by Symantec, there are two real examples. Show how viruses circumvent automated detection systems.

1. Mouse use detection

As shown in the figure, the setwindowshookexa API function calls the main routine subroutine to monitor the communication message of the mouse. If it detects the mouse movement or keystroke, it will run. If it does not detect the malicious program, it will not run. Because usually the real person in use of the machine will have a mouse operation, and often automatic analysis system does not.  

2. Dormancy process

As shown in the figure, before this code runs the decryptcode subfunction, it will wait 300 seconds, that is, 5 minutes, and then wait another 20 minutes to execute the modifyregistry subfunction, and wait another 20 minutes after the network main self function is executed. Automatic analysis system usually only spend a short time on the analysis of a file, such a program is often considered as a safe program by automatic analysis system.

In the past, virus authors need deep technical skills to detect virtual environment. For example, they need to be familiar with assembly code, knowledge of virtual machine, knowledge of CPU and memory management. In both cases, however, it doesn't take much technology. It can be seen that in the future, virus authors will find out in this direction and use various new ideas to confuse the automatic analysis system.