Hello participants of Mailing List.
I wrote the article "Bypassing of behavioral analysis or malware strikes
back" (http://websecurity.com.ua/5301/) last week. Here is what it's about.
Last year in my article Bypass of systems for searching viruses at web sites
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html),
I wrote about method, which malware can use for hiding from systems for
searching viruses at web sites (particularly those which work as part of the
search engines). Which comes to using of cloacking. If bot of search engine
(including that, which has built-in antivirus) is visiting a site, then
malicious code isn't showing, and in other cases it shows at pages of site.
From that time most advanced web antiviruses could fix this shortcoming in
their systems and learn to fight with cloacking for better revealing of
viruses at web sites (as it was made in my WebVDS already from the first
version in 2008). But there is another method, which malware can use for
hiding from web antiviruses, particularly it can be used against systems
which based on behavioral analysis.
I created the idea of this method already in May, just after my speech at
conference UISG and ISACA Kiev Chapter with repot about systems of revealing
infected web sites.
Behavioral analysis is considered more effective method of revealing
malicious software then signature or heuristic method. Among web antiviruses
there are only two systems, which is know to me, which are using behavioral
analysis. It's built-in antiviruses in search engines Google and Yandex. In
Yandex behavioral analysis was added at beginning of 2010 and as company
stated they were simultaneously using as first technology (from Sophos,
which is obviously based on signatures), as second one. I'll note, that both
these systems took part in my last year testing of systems for searching
viruses at web sites, in which from seven participants Google took 1 place
and Yandex 7 place.
Malware can use the next methods for bypassing of behavioral analysis:
Revealing of the fact, that web pages is opened in the browser in virtual
machine. Taking into account that via JS/VBS it's impossible to determine
it, then the only effective variant - it's cloacking, which I told about
above. But advanced web antiviruses can fight with it, so another variant is
needed.
Using of a delay. Malware can be run with some delay with the purpose of
bypassing of such systems. Because using of behavioral analysis in system
for searching of malware at web sites - it's resource-intensive process and
such systems check every single page only limited time. And if to find the
maximum time, which such systems spend on checking of a page (and it can be
made experimentally), then it's possible to set the code to trigger after
this time, and thus such web antiviruses will be bypassed, but the code will
execute in the browsers of real visitors of a sites.
So the systems, which based on behavioral analysis, should take into account
this possibility. And to solve this problem it needs to use different
methods of revealing of malware in one system.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
MustLive,
Do you ever search for related work?
You might want to check out an article "Escape from Monkey Island:
Evading High-Interaction Honeyclients" - you will find many "new"
bypassing techniques, including "Delayed Exploitation".
Best,
Andrew
8/2/11 11:08 PM, MustLive пишет:
Hello participants of Mailing List.
I wrote the article "Bypassing of behavioral analysis or malware strikes
back" (http://websecurity.com.ua/5301/) last week. Here is what it's
about.
Last year in my article Bypass of systems for searching viruses at web
sites
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html),
I wrote about method, which malware can use for hiding from systems for
searching viruses at web sites (particularly those which work as part
of the
search engines). Which comes to using of cloacking. If bot of search
engine
(including that, which has built-in antivirus) is visiting a site, then
malicious code isn't showing, and in other cases it shows at pages of
site.
From that time most advanced web antiviruses could fix this
shortcoming in
their systems and learn to fight with cloacking for better revealing of
viruses at web sites (as it was made in my WebVDS already from the first
version in 2008). But there is another method, which malware can use for
hiding from web antiviruses, particularly it can be used against systems
which based on behavioral analysis.
I created the idea of this method already in May, just after my speech at
conference UISG and ISACA Kiev Chapter with repot about systems of
revealing
infected web sites.
Behavioral analysis is considered more effective method of revealing
malicious software then signature or heuristic method. Among web
antiviruses
there are only two systems, which is know to me, which are using
behavioral
analysis. It's built-in antiviruses in search engines Google and
Yandex. In
Yandex behavioral analysis was added at beginning of 2010 and as company
stated they were simultaneously using as first technology (from Sophos,
which is obviously based on signatures), as second one. I'll note,
that both
these systems took part in my last year testing of systems for searching
viruses at web sites, in which from seven participants Google took 1
place
and Yandex 7 place.
Malware can use the next methods for bypassing of behavioral analysis:
Revealing of the fact, that web pages is opened in the browser in
virtual
machine. Taking into account that via JS/VBS it's impossible to determine
it, then the only effective variant - it's cloacking, which I told about
above. But advanced web antiviruses can fight with it, so another
variant is
needed.
Using of a delay. Malware can be run with some delay with the
purpose of
bypassing of such systems. Because using of behavioral analysis in system
for searching of malware at web sites - it's resource-intensive
process and
such systems check every single page only limited time. And if to find
the maximum time, which such systems spend on checking of a page (and
it can be made experimentally), then it's possible to set the code to
trigger after this time, and thus such web antiviruses will be
bypassed, but the code will execute in the browsers of real visitors
of a sites.
So the systems, which based on behavioral analysis, should take into
account
this possibility. And to solve this problem it needs to use different
methods of revealing of malware in one system.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org