Malware 101: How Malware Avoids Static Detection Techniques

In order to successfully execute their malware on endpoints, attackers need to design their code to evade two categories: static detection (when the code is at rest) and behavioral detection (when the code is executing).

As a security professional, understanding how an attacker utilizes a combination of evasion techniques can provide insight into how you deploy appropriate security controls.

Malware authors and attackers design their attacks to use various methods to attempt to evade static detection techniques which detect the file itself, prior to or after it has executed. In last week’s Malware 101, we focused on The Malware Tools That Attackers Use. This week, we dive deeper into the tools that attackers use to avoid static detection.

Static Detection Avoidance Techniques:

  • Polymorphic Malware: Malware that alters itself with each execution and aims to defeat signature-based detection. Recent examples include Locky, CryptoLocker and Petya.
  • Packers: Designed to reduce the size of malware and to obfuscate its contents. Most popular is Ultimate Packer for Executables (UPX), though not all UPX files are malicious. It is not unusual for all files using a particular packer to be detected by a particular product,causing false positives. Examples include UPX, Asprox, Themida, MPRESS, PECompact and ASPack.
  • Crypters: Similar to packers, crypters compress executables but they also make samples difficult to reverse engineer. In order to evade sandboxes, including those used by anti-virus (and similar) vendors to triage samples, crypters also include virtual machine detection. Examples include Aegis Crypter, Cryptix, RooT.Crypter, Hunger Crypter and Lime Crypter.
  • High-end Crypters: Purchased on the dark web using cryptocurrency, high end crypters come with a unique, custom stub generator that decrypts and loads the actual malicious code. A unique stub is more likely to evade detection and likely to be used in targeted attacks. Examples include Aegis and Armadillo.
  • Custom Packer: If not using a crypter, most recent malware will use a custom packer as this reduces the likelihood of detections based on known packers. They will also make the sample appear less malicious by appearing to make calls to common, benign operating system functions – excluding potentially suspicious calls, such as those to cryptographic or network functions.
  • Downloaders/Droppers: These samples are not themselves malicious, they may not even attempt to remain persistent (i.e. survive a reboot) on the system. As the name suggests, a downloader can either download the malicious payload as an encrypted file or a dropper could decrypt the malicious code it is carrying and execute it.

Gaining a better understanding of how attacks happen and how you can best avoid them, we encourage you to download our popular whitepaper, Always-On Next Generation Malware Detection. It discusses the limits of endpoint-based security solutions, why malware is still succeeding, the advantages of network-based malware detection and how you can enable better detection with the power of machine learning.

All Threat Reports