Some malware is using stalling code to evade dynamic analysis

Discussion in 'malware problems & news' started by MrBrian, Nov 30, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Power of Procrastination - Detection and Mitigation of Execution-Stalling Malicious Code" (hxxp://www.iseclab.org/papers/acm_ccs11_hasten.pdf):
    This paper is from the people who developed Anubis.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Very interesting. Thank you MrBrian.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    For those that didn't read the paper, the stalling code typically takes much longer to execute in the dynamic analysis environment than on a real machine.
     
    Last edited: Nov 30, 2011
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Do legitimate applications ever use stalling code?
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes by accident; malware can do it accidently too.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I see.

    I'll give the full article a read tomorrow.
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I haven't read the full article of the OP. But below seems to have implemented another type of stalling/delaying code in a different way to bypass AV?

    http://www.room362.com/blog/2011/5/30/remote-dll-injection-with-meterpreter.html

     
    Last edited: Nov 30, 2011
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.