Monday, December 22, 2014

Automation avoiding Malware

As the technology progresses, so does the sophistication. As the security companies apply various technologies to counter the malware and malware techniques, the malware on the other hand is employing more and more sophistication and tricks to avoid those techniques.

One such techniques becoming popular these days is all about avoiding automation done by the various security tools and programs. In such automation, there is no user interaction while the malware is running. User is only concerned with the result of the automation. Automation reveals if the resulting program is malware or not. So if it doesn't produce enough result, there is a chance that user might ignore it and chance is a very important factor if a malware is to spread :).

How a malware exploits this chance? Well, this is a very simple technique and a little going through the web will explain it pretty well. This technique is related to programs having a WinMain function. So, lets see how it is done.

If we look at the definition of WinMain on MSDN, it says
int CALLBACK WinMain(
  _In_  HINSTANCE hInstance,
  _In_  HINSTANCE hPrevInstance,
  _In_  LPSTR lpCmdLine,
  _In_  int nCmdShow
The concerned argument here is nCmdShow. If we look at the definition of nCmdShow, it says:
"Controls how the window is to be shown."
That is it, we found the culprit. The malware exploit this variable to avoid automated analysis tools. Well here is what WinMain looks like in disassembly:
WinMain in disassembly
 See the first argument, 0x0A, which is the nCmdShow. The 0x0A means SW_SHOWDEFAULT, which is exactly the default value when the program is opened in a debugger or through command line(I'm not sure what is the value through command line, but is probably 0x0A). There is another value of nCmdShow, 0x01, which means SW_SHOWNORMAL, which in turn means that program is launched from explorer or via double clicking.

Now this makes malware's work easy. Malware will store this nCmdShow value somewhere in the program and make a check for it before doing its activities. If it finds out it is running through automation or through command line, it may not execute further or exits.

This might be a small trick, but it is a useful one, at least for the malware ;), and difficult to notice if one is dealing with a lot samples through automation, it might get slip.

So automation guys.....watchout!!


Post a Comment