[WEB SECURITY] Bypassing of behavioral analysis or malware strikes back

MustLive mustlive at websecurity.com.ua
Tue Aug 2 15:08:57 EDT 2011

Hello participants of Mailing List.

I wrote the article "Bypassing of behavioral analysis or malware strikes
back" (http://websecurity.com.ua/5301/) last week. Here is what it's about.

Last year in my article Bypass of systems for searching viruses at web sites
I wrote about method, which malware can use for hiding from systems for
searching viruses at web sites (particularly those which work as part of the
search engines). Which comes to using of cloacking. If bot of search engine
(including that, which has built-in antivirus) is visiting a site, then
malicious code isn't showing, and in other cases it shows at pages of site.

>From that time most advanced web antiviruses could fix this shortcoming in
their systems and learn to fight with cloacking for better revealing of
viruses at web sites (as it was made in my WebVDS already from the first
version in 2008). But there is another method, which malware can use for
hiding from web antiviruses, particularly it can be used against systems
which based on behavioral analysis.

I created the idea of this method already in May, just after my speech at
conference UISG and ISACA Kiev Chapter with repot about systems of revealing
infected web sites.

Behavioral analysis is considered more effective method of revealing
malicious software then signature or heuristic method. Among web antiviruses
there are only two systems, which is know to me, which are using behavioral
analysis. It's built-in antiviruses in search engines Google and Yandex. In
Yandex behavioral analysis was added at beginning of 2010 and as company
stated they were simultaneously using as first technology (from Sophos,
which is obviously based on signatures), as second one. I'll note, that both
these systems took part in my last year testing of systems for searching
viruses at web sites, in which from seven participants Google took 1 place
and Yandex 7 place.

Malware can use the next methods for bypassing of behavioral analysis:

1. Revealing of the fact, that web pages is opened in the browser in virtual
machine. Taking into account that via JS/VBS it's impossible to determine
it, then the only effective variant - it's cloacking, which I told about
above. But advanced web antiviruses can fight with it, so another variant is

2. Using of a delay. Malware can be run with some delay with the purpose of
bypassing of such systems. Because using of behavioral analysis in system
for searching of malware at web sites - it's resource-intensive process and
such systems check every single page only limited time. And if to find the 
maximum time, which such systems spend on checking of a page (and it can be 
made experimentally), then it's possible to set the code to trigger after 
this time, and thus such web antiviruses will be bypassed, but the code will 
execute in the browsers of real visitors of a sites.

So the systems, which based on behavioral analysis, should take into account
this possibility. And to solve this problem it needs to use different
methods of revealing of malware in one system.

Best wishes & regards,
Administrator of Websecurity web site

More information about the websecurity mailing list