This blog, which follows up on our previous blog and is part of our series on different malware evasion techniques, will focus on various methods employed by malware to detect and avoid Analysis/Sandbox environments which are unrelated to the virtualization infrastructure itself and are aimed more generally at dynamic analysis avoidance.
Time-delay based avoidance
One of the simplest and long-lasting methods of analysis and sandbox avoidance is based on the simple premise that any sandbox will only allocate a finite amount of time (usually only several minutes) for each given analysis before moving to the next sample in its queue.
By delaying its execution beyond this timeframe malware can hide its malicious actions and activities from the sandbox. This is commonly accomplished either by using the “Sleep” or “NtDelayExecution” Windows APIs, which some sandboxes patch in order to circumvent this behavior. As a result of this, some malware has evolved to detect these patches as an additional indicator of an analysis/sandbox environment. This is done by taking a timestamp, going to sleep, and checking the timestamp upon waking up. If the time difference from the previously taken timestamp is substantially different than the time the malware was programmed to sleep, the malware will avoid or adjust its execution. An example of a similar timestamping mechanism can be found in MyloBot, which Deep Instinct discovered during the summer of 2018.
Over time malware developers have also added methods to avoid sandboxes and analysis environments by performing various checks to see if there is an actual user operating the machine the malware is being executed on.
Over time malware developers have gained insight into the tools commonly used by malware researchers and analysts and have modified their malware accordingly to avoid or adjust its execution if such tools are detected as present or active on the executing machine. These tools include debuggers, disassemblers, networking monitoring utilities/sniffers and other utilities.
By employing any number of combinations of the above and previously described checks, methods, and techniques, malware can gain a substantial degree of environmental awareness and avoid or adjust its execution if it detects it is being executed in an undesirable environment.
The cat and mouse game between malware developers and malware researchers and analysts is constantly afoot, with each side developing their own ways and means to either avoid or improve detection.