Hackers of India

Hot knives through butter: Bypassing automated analysis systems

 Abhishek Singh  , Zheng Bu 


Presentation Material


Diamonds are girl’s best friend, prime numbers are mathematician’s best friend and automated analysis systems (AAS) are AV researcher’s best friend. Unfortunately, this fact is known by malware authors and hence techniques to evade automated analysis system are not only becoming an integral part of APT, but also many infamous malwares have resurrected and are using techniques to bypass the automated analysis system to stay under the radar.

The infamous Khelios botnet was claimed to be dead in 2011 and got resurrected . To evade the automated analysis system one of the sample aka Trojan Nap found in 2013, was employing SleepEx() API with a 10 minutes time out. Since automated analysis systems are set to execute a sample within a given time frame ,which is in seconds, by employing an extended sleep call, it could prevent an AAS from capturing its behavior. The sample also made a call to the undocumented API NtDelayExecution() for performing an extended sleep calls.

As per the report from Mandiant, infamous RAT Poison IVY has extensively been used in the targeted attacks and appeared to have been abandoned in 2008. Trojan UpClicker, reported in December 2012, a wrapper around Poison IVY, employs SetWindowsHookEX() API to hide its malicious activity. By sending 0EH as parameter to the function, the malicious code only gets activated when the left mouse button is clicked and released. Since in AAS there is no human interaction, the code remains dormant bypassing the AAS.

PushDo, yet another infamous malware, checks the build number of windows OS. Once it has determined the build number of windows OS. It finds a pointer to PspCreateProcessNotify() API routine to deregister all the callbacks. Once the callbacks have been deregistered, the malware can create or delete processes, bypassing process monitoring module of AAS.

Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used GetLocalTime() API to activate itself on March 20th 2013 at 2:00 P.M. If the sample is executed in an AAS before the 20th March 2013, it will not get executed and evades AAS.

UpClicker, PushDo, Hastati, Nap are some of the resurrected advanced malware and/or APT which are using anti evasion techniques to evade detections from AAS.

In first part of the presentation we provide an exhaustive list of techniques, API’s and the code segments from the APT and active malware, which are being used to bypass the AAS. We will also have live demonstration of some of the anti-analysis techniques, which have emerged in the recent past.

In the next part of the presentation we provide an in-depth, technical analysis of the Automated Analysis System technologies available today focusing on computer security aspect. It will provide a comparison framework for different technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we also explore each of the major commercially available automated analysis system flavors and evaluate their ability to stand against these evasions. We will present an architectural decomposition of automated analysis systems to highlight its advantages and limitations, and historical view on how fast Anti-AAS techniques have been evolved so rapidly recently. This will kick start the conversation on how new vectors that are likely to be used by sophisticated malware to actively target AAS in the future.