Evasive Malware – The Art of Doing Nothing
Advanced malware uses a number of techniques to avoid being detected by a sandbox. One method is to stall. When a malicious object discovers that it’s under evaluation, it will postpone evil behavior until the sandbox times out. The malware simply hides its harmful capabilities until it’s in a real host.
Less sophisticated malware stalls by employing the operating system’s sleep function. This is probably the easiest way for a malware author to implement a delay as it’s literally one line of code. By calling the sleep function, the malware directs the operating system to suspend its own execution for 10 minutes or so. That’ long enough for most sandbox systems to assume the object is well-behaved and end its evaluation.
However, as sandbox technologies evolved, they began to monitor calls to the operating system’s sleep function. Now when a program or object makes such a call, unless the reason can be substantiated the object will be tagged as potentially malicious. So, even a basic sandbox can detect stalling tactics that use the operating system’s call to sleep.
Unfortunately, conventional sandbox technology can only see the calls to the operating system and not what malware is doing internally. Consequently, today’s advanced malware evades detection of its stalling procedures by repeatedly executing meaningless instructions within its own code. By stalling internally, modern malware can outsmart these sandbox technologies.
Unlike conventional sandbox technologies that can only observe when malware makes a call to the operating system, Lastline performs deep content inspection of each object. This unique capability allows Lastline to evaluate what’s going on within the CPU itself. Every instruction the malware performs is evaluated, including stalling evasions. Any object that attempts to stall is detected, even when done internally.
Click here to learn more about how Lastline detects evasive malware that other systems miss.