[WEB SECURITY] Bypassing of behavioral analysis or malware strikes back

Andrew Petukhov petand at lvk.cs.msu.su
Wed Aug 3 12:55:42 EDT 2011

Do you ever search for related work?
You might want to check out an article "Escape from Monkey Island:
Evading High-Interaction Honeyclients" - you will find many "new"
bypassing techniques, including "Delayed Exploitation".


8/2/11 11:08 PM, MustLive пишет:
> Hello participants of Mailing List.
> I wrote the article "Bypassing of behavioral analysis or malware strikes
> back" (http://websecurity.com.ua/5301/) last week. Here is what it's
> about.
> Last year in my article Bypass of systems for searching viruses at web
> sites
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html),
> I wrote about method, which malware can use for hiding from systems for
> searching viruses at web sites (particularly those which work as part
> of the
> search engines). Which comes to using of cloacking. If bot of search
> engine
> (including that, which has built-in antivirus) is visiting a site, then
> malicious code isn't showing, and in other cases it shows at pages of
> site.
> From that time most advanced web antiviruses could fix this
> shortcoming in
> their systems and learn to fight with cloacking for better revealing of
> viruses at web sites (as it was made in my WebVDS already from the first
> version in 2008). But there is another method, which malware can use for
> hiding from web antiviruses, particularly it can be used against systems
> which based on behavioral analysis.
> I created the idea of this method already in May, just after my speech at
> conference UISG and ISACA Kiev Chapter with repot about systems of
> revealing
> infected web sites.
> Behavioral analysis is considered more effective method of revealing
> malicious software then signature or heuristic method. Among web
> antiviruses
> there are only two systems, which is know to me, which are using
> behavioral
> analysis. It's built-in antiviruses in search engines Google and
> Yandex. In
> Yandex behavioral analysis was added at beginning of 2010 and as company
> stated they were simultaneously using as first technology (from Sophos,
> which is obviously based on signatures), as second one. I'll note,
> that both
> these systems took part in my last year testing of systems for searching
> viruses at web sites, in which from seven participants Google took 1
> place
> and Yandex 7 place.
> Malware can use the next methods for bypassing of behavioral analysis:
> 1. Revealing of the fact, that web pages is opened in the browser in
> virtual
> machine. Taking into account that via JS/VBS it's impossible to determine
> it, then the only effective variant - it's cloacking, which I told about
> above. But advanced web antiviruses can fight with it, so another
> variant is
> needed.
> 2. Using of a delay. Malware can be run with some delay with the
> purpose of
> bypassing of such systems. Because using of behavioral analysis in system
> for searching of malware at web sites - it's resource-intensive
> process and
> such systems check every single page only limited time. And if to find
> the maximum time, which such systems spend on checking of a page (and
> it can be made experimentally), then it's possible to set the code to
> trigger after this time, and thus such web antiviruses will be
> bypassed, but the code will execute in the browsers of real visitors
> of a sites.
> So the systems, which based on behavioral analysis, should take into
> account
> this possibility. And to solve this problem it needs to use different
> methods of revealing of malware in one system.
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list