Understanding naive malware evasion techniques, Holly Williams
Today Holly Williams, a penetration tester by trade and overall malware enthusiast, performed a talk at Bsides London. The talk, called Offensive Anti-analysis, focused on the ‘naive’ evasion techniques used in malware creation.
Holly started off her talk, by following a trend from the past few days, in detailing the history of malware. Going from 1971, where the first computer viruses were imagined, to 1989 where the first proper Trojan came into fruition. Holly continued by asking the question of why malware was so successful:
[With malware] I don’t have to get into hardened places. We are getting users to click a link. 50% of users will click a link in an email and 33% of users will give us their password in an email.
Holly followed this up by stating that these statistics were in no way to be seen as a line in the sand, but were vague statistics that she followed. Entering the bulk of Holly’s talk she moved onto discuss the top three ‘naive evasion techniques’ used by malware creators. These fell into
- Renaming file names
- Using null bytes to decrees entropy
- Understanding that the ‘enemy’ isn’t as numerous as first thought
Holly concluded her talk by talking about how she used all of the above to create a piece of malware that could be uploaded to platforms, such as Virus Total, to map their environment and detect if they were in a sand boxed environment. After stating that she was successful in doing so she commented:
It can detect when it’s in a scanner and which one your in. Also which node of the scanner your in. That’s probably a bad thing, but sorry that I lied to you, because [according to google] it’s totes not.