Detection Mechanisms & Evasion Techniques
Static/Signature Detection
A signature is a number of bytes or strings within a malware that uniquely identifies it.
Other conditions can also be specified such as variable names and imported functions.
Once the security solution scans a program, it attempts to match it to a list of known rules.
- Hashing Detection
Hashing detection is a subset of static/signature detection.
This method is done by simply saving hashes (e.g. MD5, SHA256) about known malware in a database. The malware's file hash will be compared with the security solution's hash database to see if there's a positive match.
Evasion Techniques
Payload Encryiption and Obfuscation: It is important to note that the more data that's encrypted within a file, the higher its entropy. Having a file with a high entropy score can cause security solutions to flag the file or at the very least consider it suspicious and place additional scrutiny on it.
Heuristic Detection
Since signature detection methods are easily circumvented with minor changes to a malicious file, heuristic detection was introduced to spot suspicious characteristics that can be found in unknown, new and modified versions of existing malware.
- Static Heuristic Analysis
Involves decompiling the suspicious program and comparing code snippets to known malware that are already known and are in the heuristic database. If a particular percentage of the source code matches anything in the heuristic database, the program is flagged.
- Dynamic Heuristic Analysis (Sandbox Detection)
The program is placed inside a virtual environment or a sandbox which is then analyzed by the security solution for any suspicious behaviors.
While executing the file, the security solution will look for suspicious actions or actions that are classified as malicious. For example, allocating
memory is not necessarily a malicious action but allocating memory, connecting to the internet to fetch shellcode, writing the shellcode to memory and executing it in that
sequence is considered malicious behavior.
Malware developers will embed anti-sandbox techniques to detect the sandbox environment. If the malware confirms that it's being executed in a sandbox then it executes benign code, otherwise, it executes malicious code.
Evasion Techniques
Behavior-based Detection
Once the malware is running, security solutions will continue to look for suspicious behavior committed by the running process.
The security solution will look for suspicious indicators such as loading a DLL, calling a certain Windows API and connecting to the internet. Once the suspicious behavior is detected the security solution will conduct an in-memory scan of the running process. If the process is determined to be malicious, it is terminated.
The best way to avoid behavior-based detection is by making the process behave as benign as possible.
Evasion Techniques
Malware Directory Placement: When executing any binaries on disk, it's important to ensure it's being executed from a location that blends in with the target environment.
https://www.elastic.co/guide/en/security/current/process-execution-from-an-unusual-directory.html
API Hooking
API hooking is a technique used by security solutions, mainly EDRs, to monitor the process or code execution in real time for malicious behaviors. API hooking works by intercepting commonly abused APIs and then analyzing the parameters of these APIs in real time.
This is a powerful way of detection because it allows the security solution to see the content passed to the API after it's been de-obfuscated or decrypted. This detection is considered a combination of real-time and behavior-based detection.
There are several ways to bypass API hooks such as DLL unhooking and direct syscalls.
Evasion Techniques
Callback Code Execution: Callback function can execute malware without using winapis like VirtualAlloc or CreateThread.
IAT Checking
One of the PE structure components is the Import Address Table or IAT.
The IAT's functionality contains function names that are used in the PE at runtime. It also contains the libraries (DLLs) that export these functions. This information is valuable to a security solution since it knows what WinAPIs the executable is using.
One solution that evades IAT scanning is the use of API hashing.
Evasion Techniques
IAT Hiding, Obfuscation & Camouflage
Manual Analysis
Despite bypassing all the aforementioned detection mechanisms, the blue team and malware analysts can still manually analyze the malware.
Malware developers can implement anti-reversing techniques to make the process of reverse engineering more difficult.
Some techniques include the detection of a debugger and the detection of a virtualized environment.
Evasion Techniques
Last updated