Duping the machine - malware strategies, post sandbox detection

Friday 26 September 14:00- 14:30, Green room.

James Wyke Sophos

   This paper is available online (HTML, PDF).

  download slides (PDF)

Sandboxes and automated analysis environments are key tools to combat the exponential growth of malware. There are a huge range of different solutions and they are used in a wide variety of situations throughout security companies and large IT departments across the globe. In many cases, sandboxes are used as part of an automated system where data is extracted, fed into other systems, and decisions are made on the nature of the sample under examination. Inevitably, though, sandboxes can be detected by malware, and malware that does so is left with a choice. The majority of samples that detect they are executing in an artificial environment will immediately exit, but there is a growing subset of malware families that choose to do something more cunning.

In this paper we explore the different strategies malware employ once a sandbox has been detected. We present examples of decoy behaviour that ranges from dummy files dropped to fixed path names, bogus DNS and HTTP requests, and misleading configuration files being delivered. We examine samples of the main protagonist malware families including Andromeda, Shylock, Simda and Vundo.

We classify the techniques involved and assess the motivation for each approach by asking what the benefit to the malware author is in each case.

We conclude by analysing the consequences of failing to realise we are observing bogus behaviour from the sample, such as false positives, prolonging of the life span of the threat, and embarrassing publications where the authors fail to realise they are describing dummy behaviour. Finally, we explore ways in which we might prevent ourselves falling victim to the same techniques again.

James Wyke James Wyke has been working in the UK at Sophos for more than five years. He is currently a senior threat researcher with particular interest in botnets, banking malware, rootkits, file infectors and many other types of prevalent threat. James spends his time carrying out in-depth analysis and exploring novel approaches to malware protection. Outside of work, James enjoys playing squash and trying not to lose too often on the company pool table.