Instead, they will attempt to maintain stealth by terminating execution of the malware. If attackers spot that their malware is running inside a virtual environment, they will not continue their attack and will not download the payload. These types of malware are used to perform reconnaissance and gather information about the target system. Sandbox evasion and anti-analysis techniques are found most frequently in remote access tools (accounting for 56% of the malware in our dataset) and loaders (14%). Restore operation of the guest machine.Īll these actions are observed from outside the sandbox: malware cannot detect that it is being watched.Mark the memory page anew to return it to the correct state.Analyze the memory state and extract information about an event.Intercept attempts to access marked memory regions (if this happens, an EPT violation error will occur and the guest machine will be stopped).Mark selected pages to separate EPT memory access rights from guest machine access rights.Identify important parts (for example, parts containing addresses or code of kernel functions).Examine memory pages of the guest machine.AMD processors support SLAT through Rapid Virtualization Indexing (RVI), while Intel's implementation is known as Extended Page Table (EPT).Įxtended page tables are nested between the guest physical memory and the host virtual memory. These sandboxes use second level address translation (SLAT), a form of hardware-assisted virtualization built into CPUs. This approach has one significant drawback: the sandbox needs to conceal and protect agent-related objects from malware. When a new process is generated, the sandbox intercepts API function calls (changes to an address in process memory or changes to code in a function body). The virtual machine has a built-in agent (special process) that manages the system, in addition to getting and passing events and artifacts of interest. In this research, we will show how sandbox evasion techniques have evolved in the last 10 years. The selection was made based on MITRE data and information about new malware samples analyzed by the PT Expert Security Center. We have analyzed 36 malware families used by at least 23 APT groups around the world during the period from 2010 through the first half of 2020. That is why modern malware has capabilities for detecting and evading protection mechanisms, as well as for hiding malicious functionality if run in a sandbox or code analyzer. Of course, the attackers need to be sure they have accessed a real workstation on a company's infrastructure, and not a mere sandbox-a virtual environment designed to analyze the behavior of executable files. They do this by collecting information about the system and internal network, which gives an idea of how they can profit from an attack and helps to plan further actions. In most cases, hackers "case out" their targets before attacking. Popular virtualization evasion techniques.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |