This document discusses evasive malware and techniques for detecting it. It begins with an introduction of the author and their background in malware research. It then covers how malware has evolved over time to target systems and evade detection. Various techniques used by malware to evade static and dynamic analysis are described. The document argues that eliciting dormant code and introducing honey-users could help with detection. It concludes that visibility is key to tracking evasive malware and more advanced analysis methods are needed.

1. Now You See Me, Now You Don’t:
Chasing Evasive Malware
Giovanni Vigna
CTO @ Lastline, Inc.
and
Professor @ Department of Computer Science
University of California Santa Barbara

2. Who am I?
• Co-founder and CTO at Lastline, Inc.
– Lastline offers protection against zero-day threats and advanced
malware
• Professor of Computer Science at the University of California in
Santa Barbara
– Many system security papers in academic conferences
– Started malware research around 2004, focusing on evasive malware
– Built and made available to the public practical systems (Anubis,
Wepawet, Revolver, …)
– Lead Shellphish, the longest-running hacking team at DefCon’s CTF

3. Malware Evolution
Targeted Attacks
and Cyberwarfare
!!!
Time
$$ Damage
Billions
Millions
Hundreds of
Thousands
Thousands
Hundreds
Cybercrime
Cybervandalism $$$
#@!

4. AV Can’t Keep Up

5. Arms Race(s)
Malicious
Binary
Obfuscated
Polymorphic
Malicious
sandbox
Binary Behavior-based
Anti-malware
Evasive
Malicious
Signature-based Binary
Anti-virus
Malicious
JavaScript
Obfuscated
Polymorphic
Malicious
honeyclient
JavaScript Behavior-based
Anti-malware
Evasive
Malicious
Signature-based JavaScript
Web Gateways

6. An Evasion Framework
Artifact,
Provenance
Labels/Blocks Executes/Displays
Analysis
System
Target
System
Known
Malicious
Artifacts,
Provenance
Known
Benign
Artifacts,
Provenance
Activates
Producer Consumer

7. An Evasion Framework
Analysis System Target System Consumer
SPAM X N/A N/A
Phishing X N/A X
Social Engineering N/A N/A X
Malware Installs N/A (*) N/A X
Malicious Documents X X X
Malicious Web Pages X X N/A
Malicious Binaries X N/A N/A
(*) First downloader

8. Evading Static Analysis
• Static analysis techniques can be evaded by making the (relevant)
code unavailable
– Packing/encrypting
– Delaying the inclusion of code
• Static analysis techniques can be evaded by exploiting differences
in the parsing capabilities of the target system vs. analysis system
– Parsing the executable (the target is the OS)
– Parsing the document (the target is the Office application)
• Static analysis techniques can be foiled by making certain
operations depend on values known only at run-time
– Table lookups based on user-provided input

9. Evading Static Analysis
• The code is stored encoded in the registry and executed
using an intricate command line:
rundll32.exe "javascript:..mshtml,RunHTMLApplication
;document.write(74script
language=jscript.encode>+(new%20ActiveXObject(WScript.Shell)).
RegRead(HKCUsoftwaremicrosoftwindowscurrentversionrun
)+74/script>)"

10. Evading Dynamic Analysis
• Dynamic analysis techniques can be evaded by
fingerprinting the environment (and not execute)
– Detection of modified environment
• Instrumented libs
• Auxiliary processes/services
– Detection of specific HW/SW configurations
• Devices
• Users
• File names

11. Evading Dynamic Analysis

12. Evading Dynamic Analysis
• Dynamic analysis techniques can be evaded by
exploiting differences in the execution capabilities of the
target system vs. analysis system
– Semantics (virtualization/emulation introduces differences)
– Speed (analysis systems are usually slower)
– Available resources (analysis has a finite, limited time)
• Sleeping
• Stalling loops

13. Evading Dynamic Analysis

14. Evading Dynamic Analysis
• Dynamic analysis can be evaded by checking for the
presence of a human (“reverse Turing test”)
– Keyboard/mouse is attached
– Mouse moves
• These activities cannot be too obvious or the user will
become suspicious

15. Visibility Matters
Traditional Sandboxes
Full-System Emulation
Important behaviors and
evasion happen here

16. What Needs to Be Done (Now)
• Use the evasive behavior as a signal for detection
– Detect fingerprinting
– Detect failures to execute
• Rely on binary-level program analysis techniques to
identify stalling
– Characterize program evolution
– Identify loops and push through

17. What’s Next? (Threat-wise)
• As evasion detection improves, cybercriminals will be
forced into mimicry
• Mimicry is the process of creating malware that mimics
the behavior of benign applications (until the analysis is
completed)

18. What’s Next? (Protection-wise)
• The next approach is eliciting
– Elicit: verb
evoke or draw out (a reaction, answer, or fact) from someone.
"I tried to elicit a smile from Joanna”
synonyms:
obtain, bring out, draw out, extract, evoke, bring about, bring
forth, induce, excite, give rise to, call forth, prompt, generate,
engender, spark off, trigger, kindle;
• Identify dormant code
• Introduce the honey-user

19. C&C Site
Exploit Site

20. Conclusions
• Malware is (and will always be) in continuous evolution
• Evasion is a process, not a phase
• It is important to create countermeasures that require
major efforts/resources from the attacker
• Visibility is key
– Traditional anti-malware is based on simple microscopes
– We need electronic (malware) microscopes

21. Questions?
VS.

22. Backup Slides

23. The Golden Standard: Bare
Metal
• Comparison of execution in bare metal with execution on various types of analysis
platforms
Pre-filter
Synchronized
Execution
Bare-metal Ether Anubis Virtualbox
Behavior Comparison
Incoming
samples
• BareCloud: Bare-metal Analysis-based Evasive Malware Detection
Dhilung Kirat, Chris Kruegel, and Giovanni Vigna
Proceedings of the USENIX Security Symposium, 2014
Scheduler
Profiles Profiles Profiles Profiles
Behavior Deviation Score

24. BareCloud Results
• Collected 110,005 samples from Anubis that had interesting
behavior
– Samples with little or no activity
– Samples with different combinations of filesystem and network activity
• Compared profiles using hierarchical similarity
• Identified 5,835 evasive samples

25. Detecting Evasive Web Malware
• State-of-the-art in honeyclients
– High-interaction honeyclients visit web pages and record modifications
to the underlying system (file system, registry, processes)
– Unexpected changes are attributed to attacks
• Limitations
– Defenders need to know in advance the components that will be
targeted by attacks
– Configuration can be complex and incomplete
• Some of the vulnerable components are incompatible with each other
– Limited explanatory power

26. Revolver: Detecting Evasions
in Web-based Malware
• Providing an oracle available to the public has drawbacks
– Malware can be tested before deployment
• Exploitation of discrepancies leads to failed detection
• Can we use this against the bad guys?
– Revolver: An Automated Approach to the Detection of Evasive Web-based
Malware
A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, G. Vigna in
Proceedings of the USENIX Security Symposium Washington, D.C.
August 2013

27. Evasion: Liberal Configuration
var nop="%uyt9yt2yt9yt2";
var nop=(nop.replace(/yt/g,""));
var sc0="%ud5db%uc9c9%u87cd...";
var sc1="%"+"yutianu"+"ByutianD"+ ...;
var sc1=(sc1.replace(/yutian/g,""));
var sc2="%"+"u"+"54"+"FF"+
"%u"+"BE"+...+"A"+"8"+"E"+"E";
var sc2=(sc2.replace(/yutian/g,""));
var sc=unescape(nop+sc0+sc1+sc2);
try {
new ActiveXObject("yutian");
} catch (e) {
var nop="%uyt9yt2yt9yt2";
var nop=(nop.replace(/yt/g,""));
var sc0="%ud5db%uc9c9%u87cd...";
var sc1="%"+"yutianu"+"ByutianD"+ ...;
var sc1=(sc1.replace(/yutian/g,""));
var sc2="%"+"u"+"54"+"FF"+
"%u"+"BE"+...+"A"+"8"+"E"+"E";
var sc2=(sc2.replace(/yutian/g,""));
var sc=unescape(nop+sc0+sc1+sc2);
}

28. Revolver
IF
…
VAR <= NUM
Web Oracle
IF
…
VAR <= NUM
Similarity
computation
{bi, mj}
Malicious evolution
Data-dependency
JavaScript infections
Evasions
Pages ASTs Candidate pairs
…
…

29. Evaluation: Evasion
• Collected 6,468,623 pages, of which 265,692 malicious
• Extracted 20,732,766 benign scripts, and 186,032 malicious scripts
• Derived 705,472 unique ASTs and 55,701 malicious ASTs
• For each benign AST, found ~70 malicious neighbors
• Computed 208K candidate pairs
– 6,996 Injections (701 classes)
– 101,039 Data dependencies (475 classes)
– 4,147 Evasions (155 classes)
– 2, 490 Evolutions (273 classes)

30. http://revolver.cs.ucsb.edu