Hackers vs. Researchers: Evasion methods

Innovations that appeared in cyber-crimes over the past years, proving that the ‘trickle-down’ effect, known in marketing and economics, is not just about access to products like tablet devices and space tourism. Just like in the real world, evasion techniques, once the exclusive property of the elite programmers, is flowing at an ever increasing rate and becoming public knowledge. These methods provide limited skills hackers with the same evasion techniques against researchers that until recently were the exclusive use of expert malware developers.

In most part, these evasion methods were programmed by hackers, and adopted by Trojans’ distributors that have different technical skills. These methods are designed to thwart the attempts of security researchers who seek to reverse engineer malware in order to pinpoint malware’s communication networks. After locating those networks, the goal is to block or monitor them in order to reduce the trickling-down of sensitive information into the hands of criminals. After all, the Trojan distributors invest hundreds and even thousands of dollars on the black market to obtains malware apps, and desire, like every investor’s ‘legitimate’ desire, to ensure that the invested will yield a return, such as online bank account passwords and credit card numbers that do not belong to them.

How then, could those evasion methods reach into the hands of the Trojan sellers and distributors? Well, these techniques were first observed in unique private Trojans that operated by cyber-crime gangs, whose members are, in many cases, first-class software developers. Then, these enhancements have found their way into sophisticated and more expensive Trojans, sold on the black market of the cyber world. Recently it seems that these innovations also appear in advertisements of simpler malware writers, known as ‘Generic Password Thieves’.

What are the tactics used by of hackers against researchers?
1)    Attempt to prevent tracing and analysis of files implanted by Trojans.
If these files get into the hands of researchers who in turn reverse engineer them, it will enable the discovery of network communication points. If these points are discovered, the entire bot Network could be in exposure risk (and probably get blocked).

2) Hardening malicious servers security, which operate botnets (Command & Control) responsible for sending new commands to the bots while the collecting servers (Drop Servers) get the stolen information from the infected computers. The thought behind this tactic is to ensure that even if the IP address or URL of one of these servers will be captured, the server will remain immune from penetration of malware researchers, and from attempts to be hijacked by fellow competitors and various law enforcements.

What are the methods used by the hackers?
1)    Trojans checking if they are running in a virtual environment, which usually point to the fact that they are being investigated by security researchers. If a VM environment is diagnosed, the Trojan usually will not install files, but remain ‘packaged’.

2)    ‘Collapsing’ research tools: an attempt to keep malware behavior a secret, a growing number of malware implement a mechanism that detects commercial software for research and analysis, and make them collapse. As a result, it is more difficult to use these programs to reveal the full functionality of Trojans and learn their communication patterns with collection servers and operational positions.

3)    Encrypt files and code: Trojans’ file encryption on infected computer makes them hidden from the eyes of the Anti-Malware engines and those of the researchers. These Trojans’ encrypted code is decrypted for a very short time in the computer memory (RAM) only when it is in use, and then the deciphered code is immediately destroyed. Malware distributors tend to apply this encryption on entire files or a few lines of code which is especially of great importance (for example, code containing the Trojan points of communication).

4)    Authentication and encryption using asymmetric keys and digital signature: Malware writers have adopted this authentication method, which is used in e-mail and encrypted communication with Web servers. The purpose of this measure is to allow the operator to communicate with encrypted bots, plus allow the bot to verify the identity of the command sender in order to prevent unwanted factors, such as cyber criminals competitors, malware researchers or law enforcements. In order to capture such bots network, for example by redirecting its communication to an alternative server, the hijacker needs to discover both the encryption algorithm of the Trojan and the right key. Generally, this is a private key of the bot’s operator of which it is not easy, if at all possible.

5)    Black lists written by cyber criminals in order to help prevent access to IP addresses and URLs that belong to known monitoring systems such as ‘ZeusTracker’, and prevent access to computers that belong to security corporates, and law enforcements. While every malware writer can create its own black list, there are already identified crooks who sell such lists on the black market. In addition, such lists are implemented in a more sophisticated Trojan horses that are also for sale on the black market.

In the arm race happening under our noses, contestants compete for technological superiority. While many techniques have been published to the public domain, there are still a number of methods remain in the exclusive domain of a few elites. Including a method that generates pseudo-communication points of botnets, and ‘peer-to-peer’ communication that allows each bot to be used as an operator. Only time will tell if these evasion techniques will find their way into the public domain of Trojan writers.

Stay vigilant. Use a program such as Premium Internet Security from Total Defense to shield your online activity.