Malware Poised to Avoid Behavioral Analysis
Since virus writers have used mutating viruses to avoid detection by signature-based methods, anti-virus programs have used behavioral analysis to detect malware. This technique depends on executing the suspected code in a virtual machine, or sandbox. Now The Register is reporting in Destroying sandboxes this AV techniques may be threatened:
Some malware authors have already developed their code to the point where it can identify when it is being operated in a virtual machine, and so neutralise the malicious behaviour. The point of this approach is to make the analysis of their malware more difficult for the anti-malware developers as they can not observe the suspicious code engaging in malicious activity. Other malware can identify when a debugger is attached and respond accordingly (some even with targeted attacks against debuggers such as IDA).
The article concludes it won't be long before we see full blown malware using these techniques:
Based on previous related cases where code has gone from demonstration to application, specialised targeting using similar approaches in the wild are expected within six to eight weeks, with general attack usage viable within 12 to 18 weeks.
This is another example of the tightly coupled evolution of malware and anti-malware. The big question now is how long before AV researchers develop a technique for detecting the kinds of probes used by this technique.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
