FireEye Labs research outlines techniques malware authors use to evade file-based sandboxes

5th August 2013 | By Mouseworld Now Correspondent |

New Delhi, India, August 5, 2013: FireEye, today released a new report titled, “Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes,” that reveals several techniques used by advanced malware to sidestep signature-based defenses during attacks. Today’s sophisticated, polymorphic malware is able to hide, replicate, and disable host protections using a variety of techniques, rendering single-flow, file-based sandbox solutions ineffective.

Zheng Bu, Senior Director of Research and Co-Author of the Report, said, ”In today’s threat landscape, traditional sandboxes no longer offer a silver bullet against sophisticated attackers. Malware is increasingly able to determine when it is running in a virtual environment and alter its behavior to avoid detection. Effective detection requires analyzing the context of behavior and correlating disparate phases of an attack through multi-flow analysis – which is how our researchers identified the malware samples outlined in this paper.”

The FireEye Labs research team leveraged the company’s Multi-Vector Virtual Execution (MVX) engine’s signature-less, dynamic, real-time detection capability to identify new evasion techniques.

The FireEye report outlines the methodologies malware authors are using to evade file-based sandboxes, which typically fall into one or more of the following categories:

  • Human Interaction: Malware that involves human interaction lies dormant until it detects signs of human interaction. The Up Clicker Trojan discovered by FireEye in December 2012 used mouse clicks to detect human activity, establishing communication with malicious CnC servers only after detecting a click of the left mouse button.
  • Configuration: Sandboxes mimic the physical computers they are protecting, yet they are still configured to a defined set of parameters. Most sandboxes only monitor files for a few minutes before moving on to the next file. Therefore, cybercriminals simply wait out the sandbox and attack after the monitoring process is completed.
  • Environment: Malware often seeks to exploit flaws present only in specific versions of an application. If a predefined configuration within a sandbox lacks a particular combination of operating system and applications, some malware will not execute, evading detection.
  • Classic VMware Evasion Techniques: VMware, a popular virtual-machine tool, is particularly easy to identify because of its distinctive configuration, which proves useful to malware writers. For example, VMWare’s distinctive configuration allows malware to check for VMWare services before executing.

Understanding the techniques malware authors are using to evade detection from file-based sandboxes will allow security professionals to better identify the potential for an Advanced Persistent Threat (APT) attack.

 

© Mouseworld Now News Service

Tags: , , , , , , ,

Leave your comment

IMPORTANT! To be able to proceed, you need to solve the following simple math

What is 5 + 6 ?
Please leave these two fields as-is:

Mouseworldnow Videos
  • Satya Nadella
  • NASSCOM-President-Som-Mittal
  • Larry-page
  • steve-jobs
  • Suresh-Vaswani
  • john-chambers

Channel News

  • Junglee.com launches android smartphone app more...
  • iValue is now a Value-added Distributor for CyberArk more...
  • Konica Minolta Partners Abhishek Computers and laptops for Telangana more...
  • Adobe Create Now 2014 roadshow reaches Chennai more...
  • HP Microsoft Windows Server 2003 Migration Program for partners launched more...
Subscribe via email

Enter your email address:

Myntra Brand Rush Women
Follow us on Facebook
Vista print mugs
QUESTION HOUR
What does the mouse ask?

Will the spurt in online video advertisement steal the twinkle from the TV ad platform?

View Results

Loading ... Loading ...
Newsletter Registration