Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Symantec Examines New Malware Evasion Tactics

Symantec recently published a blog post detailing two new methods being deployed to avoid malware detection and analytics. According to research, criminals are taking a low-cost / low-tech approach and using sleep loops along with basic monitoring to avoid getting caught.

Symantec recently published a blog post detailing two new methods being deployed to avoid malware detection and analytics. According to research, criminals are taking a low-cost / low-tech approach and using sleep loops along with basic monitoring to avoid getting caught.

In their latest Internet Security Threat Report, Symantec noted that some 400 million malware variants were created in 2011. This equates to an average of 33 million a month, which means it is impossible to manually detect and defend against them. To level the field some, security researchers and vendors have developed a wide range of tools in order to automate the process.

Automated detection, often in a Virtual Machine (VM) or with a process and behavior check, has been around for years. Criminals know they are being watched, so they develop malware to avoid these checks. Some of the widely known circumvention techniques used by the criminals include checking for registry entries, video drivers, assembler code of a certain type, process names, and more.

However, Symantec has seen two additional methods being deployed by malware authors that seem to be working to a degree. The first is a subroutine in the malware’s code that monitors mouse communication.

“As a person usually uses a mouse when using Windows, the _main_routine subroutine works fine. But as an automated threat analysis system doesn’t use a mouse, the code remains dormant so an automated threat analysis system may not detect it as malware,” Symantec explains.

Malware Evasion Techniques

The second method is one of wait and see. The malware runs in parts, executing the first command after waiting for five minutes, then an additional 20 minutes to execute the second command, and finally, 20 minutes more before the final command is run. This enables the malware to avoid detection by applications and systems that only check for a short amount of time.

While somewhat effective, these new tactics aren’t super advanced, and not reserved for elite malware developers.

“In the past, malware authors used very difficult techniques to detect virtual environments. As such, they may have needed specialized skills, such as assembler code writing skills, knowledge of virtual machines, and knowledge of CPUs and memory management,” Symantec explaind. “However, the techniques described in this blog are not technical and hence malware authors these days do not need technical skills to hide their creations from automated threat analysis systems. Furthermore, they are always researching and testing new ideas in order to fool automated threat analysis systems.” 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...