SophosLabs at VB2014: How cunning malware fights analysis by security researchers

SophosLabsMalware is constantly getting smarter and harder to detect. Now malware authors are developing new techniques to avoid not just antivirus, but the environments used by security researchers to analyze malware samples, according to new research from SophosLabs.

James Wyke, Senior Threat Researcher with SophosLabs UK, will be presenting his research on these techniques at the Virus Bulletin 2014 conference in Seattle, running 24-26 September.

In a preview of his presentation, James writes at Naked Security that his paper explores several malware families and a variety of techniques used to throw researchers off the trail.

According to James, the use of sandboxing to analyze malware has become invaluable to security researchers, but there are ways for malware to detect that it is running in a Sandbox environment, and exit immediately.

However, “a subset of malware families are more cunning when they detect an analysis environment,” James explains.

James’s paper details the ways several malware families employ a variety of techniques to throw off researchers or otherwise produce erroneous analysis results, including:

  • How some families, such as Andromeda, display more benign behavior under a virtual machine than on a real machine
  • How Vundo uses decoy command and control addresses to divert attention and potentially induce false positives
  • How Simda builds a blacklist of researcher IP addresses
  • How Shylock distributes dummy configuration files to send analysts down divergent paths

SophosLabs at VB2014 

Our SophosLabs researchers will be presenting several other papers at this year’s conference. You can check out the abstracts on the Virus Bulletin website at these links:

Keep up with SophosLabs

Keep up to date with our latest industry-leading research and technical papers, expert opinion, and security advice at Naked Security, and right here on the Sophos Blog.

Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.