Some malware is using stalling code to evade dynamic analysis

Discussion in 'malware problems & news' started by MrBrian, Nov 30, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Power of Procrastination - Detection and Mitigation of Execution-Stalling Malicious Code" (hxxp://www.iseclab.org/papers/acm_ccs11_hasten.pdf):
    This paper is from the people who developed Anubis.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Very interesting. Thank you MrBrian.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    For those that didn't read the paper, the stalling code typically takes much longer to execute in the dynamic analysis environment than on a real machine.
     
    Last edited: Nov 30, 2011
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Do legitimate applications ever use stalling code?
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes by accident; malware can do it accidently too.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I see.

    I'll give the full article a read tomorrow.
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I haven't read the full article of the OP. But below seems to have implemented another type of stalling/delaying code in a different way to bypass AV?

    http://www.room362.com/blog/2011/5/30/remote-dll-injection-with-meterpreter.html

     
    Last edited: Nov 30, 2011
Loading...
Thread Status:
Not open for further replies.