‘Shylock’ malware joins the list of malicious programs enhancing their defenses to avoid lab analysis.
Like any other group of businessman, cybercriminals want to protect their investments.
In the case of malware, that means avoiding research and analysis. The author of the financial malware platform known as Shylock has added a new mechanism to identify and avoid remote desktop environments commonly used by researchers when analyzing malware. Suspected malware samples are collected for analysis and placed onto machines that are isolated in an operations center (“lab”), Rather than sitting in front of a rack of physical machines in a cold basement lab, researchers use remote desktop connections to study malware from the convenience of their offices. It is this human lazyness/weakness that Shylock exploits.. Advanced malware are now capable of detecting remote desktop environments to evade researchers.
The Shylock “dropper” does this by feeding invalid data into a particular routine and then watching the error code that gets returned. It uses this return code to differentiate between normal desktops and lab environments. When executed from a remote desktop session, the return code will be different and the malware will not install.
The dropper dynamically loads Winscard.dll and calls the functionSCardForgetReaderGroupA(0, 0). The malware proceeds as expected only if the return value is either 0x80100011 (SCARD_E_INVALID_VALUE) or 0x2 (ERROR_FILE_NOT_FOUND). When the dropper is executed locally the return value is 0x80100011, but when it is executed from a remote desktop session the return value is 0x80100004 (SCARD_E_INVALID_PARAMETER).
Malware authors are continuously developing techniques to evade sandboxes used for analysis. There are many virtual environments that are detected by malware these days. In fact, just recently Symantec spotted two new techniques added to the list of techniques used by malware to evade sandboxes — monitoring of mouse movement and monitoring for code to lay dormant for five minutes before execution.
“Avoiding remote desktop sessions can, indeed, work to accomplish the same purpose,” -Symantec. “At the end of the day, malware authors realize that organizations use automated techniques in order to determine the capabilities of malware. By investing development time to circumvent sandboxes, they are trying to buy themselves some time before they get detected.” -Symantec
At the super Black Hat security conference this year, researchers presented techniques they said could make malware analysis impossible by designing malware that can’t execute correctly on any environment other than the one originally affected.
In the coming year, those types of techniques will become more common. Malware will be more dedicated and will attack only computers with a specific configuration. The ability of malware to avoid analysis will improve in the new year.