- Joined
- Oct 12, 2008
- Messages
- 12,679 (2.23/day)
How about malware that will peek at what might be monitoring for it, then hide or wait a few minutes run a portion of itself.
Wait, now run another portion. Oh, wait, and run some more.
Bam your infected!
Or, how about some malware that hides in your mouse routines, then waits for you to click a button or move the mouse, so it can run hidden in the mouse message routines.
Even better, how 'bout the malware that will recognize it is running in a VM or being searched for and stops itself from running; hide and waits until the the way is clear.
And, unless your A/V or whatever method you use is aware of this type of threat... you are infected.
Now a days, it doesn't take a technical genius to make it happen.
It is all explained in this article by the Symantec Security Response team, here -->Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems
And, a couple of quotes from the page:
Keep your guard up and compute safely.
Wait, now run another portion. Oh, wait, and run some more.
Bam your infected!
Or, how about some malware that hides in your mouse routines, then waits for you to click a button or move the mouse, so it can run hidden in the mouse message routines.
Even better, how 'bout the malware that will recognize it is running in a VM or being searched for and stops itself from running; hide and waits until the the way is clear.
And, unless your A/V or whatever method you use is aware of this type of threat... you are infected.
Now a days, it doesn't take a technical genius to make it happen.
It is all explained in this article by the Symantec Security Response team, here -->Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems
And, a couple of quotes from the page:
For a long time, malware has been able to detect the environment it is running in and hide itself from automated threat analysis systems. The list below is the measures malware takes avoid being detected by dynamic analyzer systems:
Checks a certain registry entry and stops if it detects that it is running in a virtual environment.
Checks video and mouse drivers and stops if it detects that it is running in a virtual environment.
Enumerates the system service list and stops if it detects that it is running in a virtual environment.
Executes special assembler code and stops if it detects that it is running in a virtual environment.
Checks a certain communication port and stops if it detects that it is running in a virtual environment.
Checks a certain process name and stops if it detects that it is being monitored.
If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program. It is also able to stop itself if it discovers a certain process name and detects that someone is monitoring it. So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware
In the past, malware authors used very difficult techniques to detect virtual environments. As such, they may have needed specialized skills, such as assembler code writing skills, knowledge of virtual machines, and knowledge of CPUs and memory management.
However, the techniques described in this blog are not technical and hence malware authors these days do not need technical skills to hide their creations from automated threat analysis systems. Furthermore, they are always researching and testing new ideas in order to fool automated threat analysis systems.
Keep your guard up and compute safely.
Last edited: