Wave Systems Corp. (fka WAVXQ)

[Genz2]

SANS Webcast Recap: Dissecting Popular Malware Evasion Techniques

https://www.vmray.com/cyber-security-blog/sans-webcast-recap-dissecting-popular-malware-evasion-techniques/

Like a modern Superbug that has grown resistant to conventional antibiotics, malware today has evolved rapidly and become increasingly complex. While much has been written about malware’s ability to evade sandboxes, little has been made of the specific techniques malware authors are employing to evade detection. In this post—condensed from a SANS webcast led by VMRay Product Manager Rohan Viegas and Sr. Threat Analyst Tamas Boczan and SANS analyst Jake Williams take a deep dive into the prevalent methods attackers are adopting to bypass Anti-Virus and sandbox environments, discuss the telltale signs left behind by malware, and offer up practical strategies for enhanced detection methods.

Blacklisting is Not Enough

The amount of unique malware samples is steadily growing. With over 800 million total malware seen in 2019, manually writing a signature for each sample is nearly impossible. SANS analyst Jake Williams points out, the number of samples doesn’t tell the whole story: “just recompiling the malware changes the cryptographic hash, which makes it a ‘new’ sample”

By recompiling a known strain, a new timestamp is inserted in
the header, rendering it as a unique sample even though it shares 100% of the
code. With the sheer volume of malware and advancement of packing techniques,
blacklisting sample and section hashes is becoming effectively useless. “This
is a race you probably are not going to win and attackers know this.” – says
Williams.

Endpoint & Heuristics Detection

As signature-based detection tools have become less effective, security teams have increasingly embraced a combination of endpoint tools and heuristic behavioral detection capabilities to identify suspicious files. Williams outlines a few of these strategies, including:


•Identifying binary and string patterns
•Looking for code injection
•Detecting malware setting persistence (installing to survive reboot)
•Observing suspicious API use
• Recognizing chained use of LOLBins (known good executables)

In this never-ending game of cat and mouse, attackers have likewise found clever workarounds to these methods. For instance, Williams points out an example of subverting some of the heuristics for detecting code injection by scrubbing the PE header in memory.

“Heuristic detection relies on runtime analysis of behaviors and alerts on those commonly performed by malware. The problem here is that many system admin tools look a lot like malware, from listing and killing processes to querying DLL lists. This can trigger a high volume of false positives,” explains Williams.

Packers & Other Bypass Techniques

One of the more common ways for malware to stay invisible to endpoint detection tools is through the use of packers. Malicious code is packed in a container so the signature in the original code is no longer available to be cross referenced and analyzed.

To protect against this, some antivirus vendors try to create a signature for the unpacking stub itself. As Williams explains, “what we have is the packer, which has the unpacking stub – this code that decompresses the original code into memory – and the antivirus trying the signature on the unpacking stub when in fact the packer here isn’t being used to obscure malicious intent, it’s being used to protect the intellectual property of the third party developer. One of the challenges that antivirus has is that these packers themselves are not always malicious and in fact, many of them are sold commercially.”

Beyond packers, Williams outlines additional behavior detection methods in use today and some of the strategies malware authors use to obscure their malicious intent, such as:

•Code Emulators: Many antivirus engines use code emulators to identify malicious code patterns before they are executed maliciously
•Process Doppelganging: A particularly clever endpoint security bypass technique where the malware loads a different binary than what is scanned
•Living Off The Land Bins (LOLBins): Some malware leverage built-in executables to perform functions that are heuristically dangerous
•User Mode Rootkit: These tools dynamically change the results of API calls made by the detection tools

In short, Williams says that endpoint detection is getting harder by the day and critically, every detection technique requires a tradeoff between execution overhead and reliability. Finally, he reminds us why layering your detection solutions is critical: “it’s trivial to bypass a single detection after studying it, bypassing multiple detection points is significantly more difficult.”

Sandbox Evasion Strategies

In the second half of the webinar, we explore some of the clever strategies and workarounds that attackers are employing to avoid detection. Tamas Boczan, VMRay’s Sr. Threat Analyst, provides examples from some of his research to demonstrate how specific strains of malware are applying these strategies in the wild.

We break down evasive techniques into three broad categories:

•Detect the Sandbox: Many evasive malware strains are able to differentiate between an analysis environment and a production environment by querying various hardware characteristics (i.e., number of CPU cores, number of printers connected, etc), evaluating user artifacts (cookies, browsing history) and detecting monitoring agents themselves.
•Defeat the Sandbox: Some malware evades detection by circumventing the sandbox itself or defeats the sandbox through the use of clever time loops that serve to time out its execution
•Context Awareness: In addition, there are some malware strains whose behavior depends on the context of the interaction. For instance, the malware will only execute if it’s in a certain geographic location.

Evasion Techniques in the Wild

VMRay’s Sr. Threat Analyst, Tamas Boczan is on the front lines every day dissecting and analyzing the latest malware strains to deconstruct how they navigate the network and deliver their payload. In this section of the webcast, Tamas shows four different strains and details the evasive techniques they use to avoid detection:

•BetaBot: First seen in 2012, BetaBot comes and goes and is packed with a number of detection features, including the ability to detect registry files, BIOS, username and license keys.
•GandCrab: The most common ransomware family and a core focus of Tamas’ research, GandCrab has evolved rapidly and includes the capabilities to defeat the sandbox, including a technique called API hammering to artificially timeout the sandbox.
•FormBook: A popular infostealer, FormBook is an example of malware that both works to detect and defeat the sandbox. One of its stealth features lies in its ability to check against a blacklist of strings using a checksum calculation which obscures what the malware is looking for.
•BrushaLoader: A relatively new variant and simple in form, BrushaLoader is an example of a context aware malware. A thin client collects data from the system and based on the information received on the server side (i.e., geolocation) decides whether or not to send malware to a target host.

Sandbox Defense Tactics

Finally, we provide some practical recommendations for configuring a sandbox to improve detection capabilities and its ability to identify evasive behavior:


•Avoid Agents: Using agents in the analysis environment inevitably will leave a sign behind for the malware to determine it’s being run inside a sandbox. Instead monitor externally from the hypervisor layer.
•Mimic Your Production Environment: Ideally an effective sandbox should aim to replicate your user’s environment as closely as possible. The use of random artifacts for instance can help make the sandbox environment look less ‘staged’
•Use Multiple VPN egress points: To protect against context-aware threats such as geo-fenced malware, multiple VPNs should be put in place to use different egress points in various geographies
•Ensure Performance: High performance helps the sandbox defeat evasion attempts such as the API hammering such as with GandCrab which is mainly targeted at slow sandboxes
•Detect the Evasion Itself: It should come as little surprise that an effective sandbox should itself, also be able to detect evasion attempts and flag them.
==================================================================
Using a whitelisting practical strategy like Wave Endpoint Monitor would spot the 'sneaky' attacks and having all of the Wave solutions/products would assist in thwarting these malware attacks by hackers! Wave Endpoint Monitor looks to be more effective and easier to use based on the techniques that were presented in the article. The malware protection and Wave Endpoint Monitor links below are highly recommended reading!
==================================================================
https://www.wavesys.com/malware-protection

Excerpts:

Wave’s solution: start with the device

If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.

Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

Excerpts:

Detect attacks before it’s too late

Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.

Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.

An open standard means Wave works with everything

Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.