Hello participants of Mailing List. I wrote the article "Bypassing of behavioral analysis or malware strikes back" (http://websecurity.com.ua/5301/) last week. Here is what it's about. Last year in my article Bypass of systems for searching viruses at web sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html), I wrote about method, which malware can use for hiding from systems for searching viruses at web sites (particularly those which work as part of the search engines). Which comes to using of cloacking. If bot of search engine (including that, which has built-in antivirus) is visiting a site, then malicious code isn't showing, and in other cases it shows at pages of site. >From that time most advanced web antiviruses could fix this shortcoming in their systems and learn to fight with cloacking for better revealing of viruses at web sites (as it was made in my WebVDS already from the first version in 2008). But there is another method, which malware can use for hiding from web antiviruses, particularly it can be used against systems which based on behavioral analysis. I created the idea of this method already in May, just after my speech at conference UISG and ISACA Kiev Chapter with repot about systems of revealing infected web sites. Behavioral analysis is considered more effective method of revealing malicious software then signature or heuristic method. Among web antiviruses there are only two systems, which is know to me, which are using behavioral analysis. It's built-in antiviruses in search engines Google and Yandex. In Yandex behavioral analysis was added at beginning of 2010 and as company stated they were simultaneously using as first technology (from Sophos, which is obviously based on signatures), as second one. I'll note, that both these systems took part in my last year testing of systems for searching viruses at web sites, in which from seven participants Google took 1 place and Yandex 7 place. Malware can use the next methods for bypassing of behavioral analysis: 1. Revealing of the fact, that web pages is opened in the browser in virtual machine. Taking into account that via JS/VBS it's impossible to determine it, then the only effective variant - it's cloacking, which I told about above. But advanced web antiviruses can fight with it, so another variant is needed. 2. Using of a delay. Malware can be run with some delay with the purpose of bypassing of such systems. Because using of behavioral analysis in system for searching of malware at web sites - it's resource-intensive process and such systems check every single page only limited time. And if to find the maximum time, which such systems spend on checking of a page (and it can be made experimentally), then it's possible to set the code to trigger after this time, and thus such web antiviruses will be bypassed, but the code will execute in the browsers of real visitors of a sites. So the systems, which based on behavioral analysis, should take into account this possibility. And to solve this problem it needs to use different methods of revealing of malware in one system. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

MustLive, Do you ever search for related work? You might want to check out an article "Escape from Monkey Island: Evading High-Interaction Honeyclients" - you will find many "new" bypassing techniques, including "Delayed Exploitation". Best, Andrew 8/2/11 11:08 PM, MustLive пишет: > Hello participants of Mailing List. > > I wrote the article "Bypassing of behavioral analysis or malware strikes > back" (http://websecurity.com.ua/5301/) last week. Here is what it's > about. > > Last year in my article Bypass of systems for searching viruses at web > sites > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html), > > I wrote about method, which malware can use for hiding from systems for > searching viruses at web sites (particularly those which work as part > of the > search engines). Which comes to using of cloacking. If bot of search > engine > (including that, which has built-in antivirus) is visiting a site, then > malicious code isn't showing, and in other cases it shows at pages of > site. > > From that time most advanced web antiviruses could fix this > shortcoming in > their systems and learn to fight with cloacking for better revealing of > viruses at web sites (as it was made in my WebVDS already from the first > version in 2008). But there is another method, which malware can use for > hiding from web antiviruses, particularly it can be used against systems > which based on behavioral analysis. > > I created the idea of this method already in May, just after my speech at > conference UISG and ISACA Kiev Chapter with repot about systems of > revealing > infected web sites. > > Behavioral analysis is considered more effective method of revealing > malicious software then signature or heuristic method. Among web > antiviruses > there are only two systems, which is know to me, which are using > behavioral > analysis. It's built-in antiviruses in search engines Google and > Yandex. In > Yandex behavioral analysis was added at beginning of 2010 and as company > stated they were simultaneously using as first technology (from Sophos, > which is obviously based on signatures), as second one. I'll note, > that both > these systems took part in my last year testing of systems for searching > viruses at web sites, in which from seven participants Google took 1 > place > and Yandex 7 place. > > Malware can use the next methods for bypassing of behavioral analysis: > > 1. Revealing of the fact, that web pages is opened in the browser in > virtual > machine. Taking into account that via JS/VBS it's impossible to determine > it, then the only effective variant - it's cloacking, which I told about > above. But advanced web antiviruses can fight with it, so another > variant is > needed. > > 2. Using of a delay. Malware can be run with some delay with the > purpose of > bypassing of such systems. Because using of behavioral analysis in system > for searching of malware at web sites - it's resource-intensive > process and > such systems check every single page only limited time. And if to find > the maximum time, which such systems spend on checking of a page (and > it can be made experimentally), then it's possible to set the code to > trigger after this time, and thus such web antiviruses will be > bypassed, but the code will execute in the browsers of real visitors > of a sites. > > So the systems, which based on behavioral analysis, should take into > account > this possibility. And to solve this problem it needs to use different > methods of revealing of malware in one system. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >