Some malware is using stalling code to evade dynamic analysis

MrBrian · Nov 30, 2011

From paper "Power of Procrastination - Detection and Mitigation of Execution-Stalling Malicious Code" (hxxp://www.iseclab.org/papers/acm_ccs11_hasten.pdf):

One recent form of evasion against dynamic analysis systems is stalling code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This paper presents the first approach to detect and mitigate malicious stalling code, and to ensure forward progress within the amount of time allocated for the analysis of a sample. Experimental results show that our system, called HASTEN, works well in practice, and that it is able to detect additional malicious behavior in real-world malware samples.
Click to expand...

Even when considering the entire data set of 29,102 malware programs, a surprisingly large number of samples contains stalling code. This demonstrates that execution stalling is not a purely theoretical problem. Instead, a non-trivial fraction of malware in the wild already includes such evasive techniques. Thus, it is crucial that sandboxes are improved to handle this threat.
Click to expand...

This paper is from the people who developed Anubis.

Hungry Man · Nov 30, 2011

Very interesting. Thank you MrBrian.

MrBrian · Nov 30, 2011

You're welcome .

For those that didn't read the paper, the stalling code typically takes much longer to execute in the dynamic analysis environment than on a real machine.

Hungry Man · Nov 30, 2011

Do legitimate applications ever use stalling code?

MrBrian · Nov 30, 2011

Hungry Man said:

Do legitimate applications ever use stalling code?
Click to expand...

Yes by accident; malware can do it accidently too.

Hungry Man · Nov 30, 2011

I see.

I'll give the full article a read tomorrow.

trismegistos · Nov 30, 2011

I haven't read the full article of the OP. But below seems to have implemented another type of stalling/delaying code in a different way to bypass AV?

http://www.room362.com/blog/2011/5/30/remote-dll-injection-with-meterpreter.html

Recently Didier Stevens wrote 'Suspender.dll' which is a DLL that will suspend a process and all of it's child processes after a delay. 60 seconds is it's default but you can rename the DLL to add a number (as such 'Suspender10.dll' for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/

Jonathan Cran and I had the same idea, as I'm sure many others did as well. This might work against AntiVirus setups that protect themselves from being killed or their services stopped.
Click to expand...

Log in or Sign up

Some malware is using stalling code to evade dynamic analysis

MrBrian Registered Member

Hungry Man Registered Member

MrBrian Registered Member

Hungry Man Registered Member

MrBrian Registered Member

Hungry Man Registered Member

trismegistos Registered Member

Log in or Sign up

Some malware is using stalling code to evade dynamic analysis

MrBrian Registered Member

Hungry Man Registered Member

MrBrian Registered Member

Hungry Man Registered Member

MrBrian Registered Member

Hungry Man Registered Member

trismegistos Registered Member

Useful Searches