Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures Cédric Herzog, Valérie Viet Triem Tong, Pierre Wilke, Arnaud van Straaten, Jean-Louis Lanet To cite this version: Cédric Herzog, Valérie Viet Triem Tong, Pierre Wilke, Arnaud van Straaten, Jean-Louis Lanet. Eva- sive Windows Malware: Impact on Antiviruses and Possible Countermeasures. SECRYPT 2020 - 17th International Conference on Security and Cryptography, Jul 2020, Lieusaint - Paris, France. pp.302-309, 10.5220/0009816703020309. hal-02949067 HAL Id: hal-02949067 https://hal.archives-ouvertes.fr/hal-02949067 Submitted on 25 Sep 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures Cedric´ Herzog1, Valerie´ Viet Triem Tong1, Pierre Wilke1, Arnaud Van Straaten1, and Jean-Louis Lanet1 a 1Inria, CentraleSuplec, Univ Rennes, CNRS, IRISA, Rennes, France ff author, s [email protected] Keywords: Antivirus, Evasion, Windows Malware, Windows API Abstract: The perpetual opposition between antiviruses and malware leads both parties to evolve continuously. On the one hand, antiviruses put in place solutions that are more and more sophisticated and propose more complex detection techniques in addition to the classic signature analysis. This sophistication leads antiviruses to leave more traces of their presence on the machine they protect. To remain undetected as long as possible, malware can avoid executing within such environments by hunting down the modifications left by the antiviruses. This paper aims at determining the possibilities for malware to detect the antiviruses and then evaluating the efficiency of these techniques on a panel of antiviruses that are the most used nowadays. We then collect samples showing this kind of behavior and propose to evaluate a countermeasure that creates false artifacts, thus forcing malware to evade. 1 INTRODUCTION Second, we design and evaluate a countermeasure, mentioned by (Chen et al., 2008) and (Chen et al., There is a permanent confrontation between malware 2016), that simply consists of reproducing the pres- and antiviruses (AVs).1 On the one hand, malware ence of the artifacts on computers by instrumenting mainly intend to infect devices in a short amount of the Windows API in order to force malware to evade. time, while remaining undetected for as long as pos- The purpose of this countermeasure is to limit the in- sible. On the other hand, of course, AVs aim at de- fection’s spread and not to replace malware detection. tecting malware in the fastest way possible. We study the impact of this approach on both mal- When a new malware is detected, AVs lead fur- ware and legitimate software before concluding on its ther analysis to produce a signature and keep their limitations. To evaluate these experiments, we create database up-to-date quickly. Malware authors, will- a small dataset and discuss the problem of collecting ing to create long-lasting malware at low cost, can evasive samples. then use simple methods to avoid being detected and We give an overview of AV abilities and evasion analyzed deeply by these AVs. To this end, a malware techniques in Section 3 and Section 4. We evaluate can search for the presence of traces or artifacts left AV’s abilities to detect new evasive malware in Sec- by an AV, and then decide whether or not they exe- tion 5. Then, we present the countermeasure and the cute their malicious payload. We call such a malware construction of the dataset used for its evaluation in an evasive malware. Section 6 and Section 7. Finally, before concluding, This article focuses on the evaluation of the eva- we discuss the limitations of this study in Section 8. sion techniques used by Windows malware in the wild. First, we evaluate how common AVs cope both with unknown malware and well-known evasion tech- 2 STATE OF THE ART niques. To this end, we develop and use Nuky, a ran- somware targeting Windows, and implementing sev- There are multiple definitions of evasive malware eral evasion techniques. in the literature. For instance, (Naval et al., 2015) define environment-reactive malware as: a https://orcid.org/0000-0002-4751-3941 1https://www.av-test.org/en/statistics/malware/ Detection-aware malware carrying multiple payloads to remain invisible to any protection For this reason, we decide to do the opposite of a system and to persist for a more extended pe- transparent environment by creating an environment riod. The environment aware payloads deter- containing artificial dissimilarities. To the best of our mine the originality of the running environ- knowledge, this idea was already discussed by (Chen ment. If the environment is not real, then the et al., 2008) but never tested on real malware. actual malicious payload is not delivered. Af- ter detecting the presence of a virtual or emu- lated environment, malware either terminates its execution or mimics a benign/unusual be- havior. 3 ANTIVIRUS ABILITIES However, this definition designates malware aim- ing at detecting virtual or emulated environments AVs are tools that aim at detecting and stopping the only. We complete this definition using part of the execution of new malware samples. They are an ag- proposition made by (Tan and Yap, 2016) that calls a gregate of many features designed to detect the mal- malware detecting “dynamic analysis environments, ware’s presence by different means, as described by security tools, VMs, etc., as anti-analysis malware”. (Koret and Bachaalany, 2015). Using these features We choose to use this definition for the term incurs overhead that, if too significant, can hinder the “evasive malware” instead of the proposed terms use of legitimate programs. In order to stay compet- “environment-reactive malware” or “anti-analysis itive, AV editors have to limit this overhead. For this malware”, because we believe this is the term that is reason, it is difficult for them to apply time demand- the most used by both researchers and malware writ- ing techniques. ers. Most AVs use signature checking by comparing One possibility for malware to detect unwanted the file against a database of specific strings, for in- environments is to search for specific artifacts present stance. The signature database needs to be updated only in these environments. For instance, (Black- regularly to detect the latest discovered malware.23 thorne et al., 2016) detail an experiment that extracts Fewer AVs use features that produce significant over- fingerprints about AV’s emulators, and (Yokoyama heads, such as running the malware in an emulator.45 et al., 2016) extract predefined features from a Win- dows computer. Once the harvest of artifacts com- During its installation, an AV adds files and mod- pleted, malware can then decide whether they are run- ifies the guest OS. For instance, an AV can load its ning in an AVenvironment or a standard environment. features by manually allocating memory pages or by Malware then use these artifacts to create evasion using the LoadLibrary API to load a DLL file, as de- tests, as described by (Bulazel and Yener, 2017), (Afi- scribed by (Koret and Bachaalany, 2015). As we de- anian et al., 2020) and (Miramirkhani et al., 2017). It tail in the following section, evasive malware can de- is also possible to artificially add artifacts by using tect these modifications and then adapt their behavior. implants as detailed by (Tanabe et al., 2018). Once a new malware is detected, AVs send the To detect evasive malware, we can compare the sample to their server for further analysis. To ana- malware’s behavior launched in an analysis environ- lyze malware more deeply, an analyst can use multi- ment and on a bare-metal environment. To compare ple tools such as debugger to break at particular in- behaviors, (Kirat and Vigna, 2015) search for differ- structions or Virtual Machines (VMs) and emulators ences in the system call traces. (Kirat et al., 2014) to analyze it in a closed environment. extract raw data from the disk of each environment A malware willing to last longer can then try to and compare file and registry operations, among oth- complicate the analyst’s work by using anti-debugger ers, to detect a deviation of behavior. Finally, (Lindor- or anti-VM techniques to slow down the analysis. fer et al., 2011) compare the behavior of malware be- tween multiple analysis sandboxes and discover mul- tiple evasion techniques. 2https://support.avast.com/en-us/article/22/ It is possible to create an analysis environment 3 that is indistinguishable from a real one, called a https://www.kaspersky.co.uk/blog/the-wonders-of- hashing/3629/ transparent environment, as presented by (Dinaburg 4https://i.blackhat.com/us-18/Thu-August-9/us- et al., 2008). However, (Garfinkel et al., 2007) gives 18-Bulazel-Windows-Offender-Reverse-Engineering- reservations about the possibilities of creating a fully Windows-Defenders-Antivirus-Emulator.pdf transparent environment as for them, “virtual and na- 5https://eugene.kaspersky.com/2012/03/07/emulation- tive hardware are likely to remain dissimilar”. a-headache-to-develop-but-oh-so-worth-it/ 4 AV EVASIONS Table 1: Artifacts searched by Nuky for each category. Artifacts Debugger AV VM In the previous section, we gave details about the Process Names × × × environment in which we are interested. We now de- GUI Windows Names × tail possible ways for evasive malware to detect the Debugger registers values × presence of such environments.