Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Malware evades defences during attacks

Anuradha Shukla | Aug. 5, 2013
Traditional sandboxes fail to offer protection against sophisticated attackers.

Traditional sandboxes or computer security mechanism fail to offer the required protection against sophisticated attackers, according to a new report by FireEye.

Advanced malware is using several techniques to thwart signature-based defences during attacks. 

A new report titled, Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes, indicates that businesses today have to deal with malware that can easily disable host protections with a range of techniques.

This polymorphic and sophisticated malware has the ability to dilute or diffuse single-flow, file-based sandbox solutions.

“Malware is increasingly able to determine when it is running in a virtual environment and alter its behaviour to avoid detection,” said Zheng Bu, senior director of research and co-author of the report. “Effective detection requires analysing the context of behaviour and correlating disparate phases of an attack through multi-flow analysis.”

Understanding malware authors 

Security professionals are advised to understand the techniques used by malware authors to escape being detected from file-based sandboxes. This will help in better identification of Advanced Persistent Threat (APT) attacks.

Research team from the FireEye Labs used the Multi-Vector Virtual Execution (MVX) engine’s real-time detection capability to identify new evasion techniques.

FireEye discovered the UpClicker Trojan last year that used mouse clicks to detect human activity. Once the malware detects a click of the left mouse button, it establishes communication with malicious servers to cause harm to users.

Sandboxes are designed to monitor files for a few minutes and then move on to the next file giving cyber criminals an opportunity to wait and attack after the monitoring process is completed.

FireEye also notes virtual-machine tool VMware, which is easily identified by malware authors due to its distinctive configuration.

 

Sign up for CIO Asia eNewsletters.