Malware production is a lucrative industry for both the malware writers who sell their work and security companies who sell us, the end users, protection. In order for the malware writers to get paid they need to develop malware that evades detection by the security companies, and in order to do that they’ve come up with some clever, yet quite simple techniques.
Security vendors have to analyze and detect millions of potential threats every year. In so doing they can regularly update the anti-malware software running on our machines and provide up-to-date protection. However, you can’t analyze all potential threats by hand, so automated threat analysis systems are employed. These typically look at suspicious files in a virtual machine and test each one quickly to see if it poses a threat.
The malware developers know such systems exist and have therefore employed countermeasures to try and avoid detection. These measures center around detecting whether they are being run in a virtual environment by checking registry entries, drivers, system services, which ports are available, and what processes are being run. If anything points to a virtual environment being present the malware shuts down and effectively hides from the automated system.
In the never ending cat and mouse game these two parties play, the security vendors can also try and hide the fact code is being run in a virtual environment, which in turn leads malware writers to develop new ways of detecting one. The latest of these quite simply uses the mouse or goes to sleep before kicking into action.
Symantec has discovered that some malware won’t start running unless it detects activity from the mouse. Why would malware writers do this? Mouse activity is done by a user, and in an automated threat analysis system a user isn’t present and therefore no mouse activity is required.
Malware checking for mouse activity (upper code segment) and deciding to sleep and then wait to execute (lower code segment)
Some malware has also been found to go to sleep for several minutes and then wait several more minutes once active before infiltrating a system. The reason for this is a typical automated threat analysis system looks at individual files very quickly, so waiting to execute helps ensure the malware is on a real system and not a virtual test environment.
The checks are clever because they are so simple. That simplicity also makes them relatively easy to fool. All Symantec needs do is add some simulated mouse movement to their testing system to fool the mouse check. As for the malware that waits before exectuing, it may just be a case of tweaking the system time in order to jolt any sleeping malware into action so it can be detected.
More at Symantec, via The H Security