Tag: evasive malware

Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”

Book Summary – “Evasive Malware: Understanding Deceptive and Self-Defending Threats”

Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what you’ll learn, the book’s target audience, and a breakdown of each section in the book. Let’s get started!

What is this book about?

“Evasive Malware: Understanding Deceptive and Self-Defending Threats” is a book about the fascinating and terrifying world of malicious software designed to avoid detection. The book is full of practical information, real-world examples, and cutting-edge techniques for discovering, reverse-engineering, and analyzing state-of-the-art malware, specifically malware that uses evasion techniques.

Beginning with foundational knowledge about malware analysis in the context of the Windows OS, you’ll learn about the evasive maneuvers that malware uses to determine whether its being analyzed and the tricks they employ to avoid detection. You’ll explore the ways malware circumvents security controls, such as network or endpoint defense bypasses, anti-forensics techniques, and malware that deploys data and code obfuscation. At the end of the book, you’ll learn some methods and tools to tune your own analysis lab and make it resistant to malware’s evasive techniques.

What will you learn?

  • Modern malware threats and the ways they avoid detection
  • Anti-analysis techniques used in malware
  • How malware bypasses and circumvents security controls
  • How malware uses victim targeting and profiling techniques
  • How malware uses anti-forensics and file-less techniques
  • How to perform malware analysis and reverse engineering on evasive programs

Who is this book for?

This book primarily targets readers who already have at least a basic understanding and skill-set in analyzing malware and reverse-engineering malicious code. This book is not a beginner course in malware analysis, and some prior knowledge in this topic is assumed. But have no fear – the first three chapters of this book consist of a crash-course in malware analysis and code analysis techniques.

Here are some of the practical applications of this book:

  • Malware Analysts and Researchers – Learn how modern and advanced malware uses evasion techniques to circumvent your malware lab and analysis tools.
  • Incident Responders and Forensicators – Learn how advanced malware uses techniques like anti-forensics to hide its artifacts on a host. Understanding these techniques will help improve incident response and forensics skills.
  • Threat Intellgience Analysts– Learn how bespoke, targeted, and cybercrime malware uses evasion techniques to hide and blend into its target environment.
  • Security Engineers / Security Architects – Learn how malware evades the host and network defenses that you design, engineer, and implement.
  • Students and Hobbyists – Learn how modern, advanced malware operates. If you read and actually enjoy this book, then you now know that you should pursue a job in malware research 😉

This book consists of five sections (parts), each consisting of three or more chapters. Let’s take a brief look at each of these.

Part 1: The Fundamentals

Part 1 contains the foundational concepts you’ll need to know before digging into the rest of the book. The topics include the fundamentals of how the Windows operating system works, and the basics of malware analysis, covering sandbox and behavioral analysis to static and dynamic code analysis.

Chapters in Part 1:

  • Chapter 1: Windows Foundational Concepts
  • Chapter 2: A Crash Course in Malware Triage and Behavioral Analysis
  • Chapter 3: A Crash Course in Static and Dynamic Code Analysis

What you’ll learn:

  • What evasive malware is and why malware authors use evasion techniques in their malware.
  • The fundamentals of Windows OS internals.
  • A crash course in malware analysis and reverse engineering, covering the basics of malware sandbox analysis and behavioral analysis, and static and dynamic code analysis. 

Part 2: Context-Awareness and Sandbox Evasion

Part 2 starts getting into the good stuff; How malware is able to detect sandboxes, virtual machines, and hypervisors, and circumvent and disrupt analysis.

Chapters in Part 2:

  • Chapter 4: Enumerating Operating System Artifacts
  • Chapter 5: User Environment and Interaction Detection
  • Chapter 6: Enumerating Hardware and Network Configurations
  • Chapter 7: Runtime Environment and Virtual Processor Anomalies
  • Chapter 8: Evading Sandboxes and Disrupting Analysis

What you’ll learn:

  • How malware detects hypervisors by inspecting operating system artifacts.
  • How malware detects virtual machines by looking for runtime anomalies.
  • How malware tries to detect a real end user in order to identify if it’s running in a sandbox.
  • How malware actively circumvents analysis by exploiting weaknesses in sandboxes or directly interfering or tampering with the analyst’s tooling. 

Part 3: Anti-Reversing

Part 3 covers the many techniques malware may use to prevent or impede reverse-engineering of its code, such as complicating code analysis, disrupting debuggers, and causing confusion and misdirection.

Chapters in Part 3:

  • Chapter 9: Anti-disassembly
  • Chapter 10: Anti-debugging
  • Chapter 11: Covert Code Execution and Misdirection

What you’ll learn:

  • How malware authors implement anti-disassembly techniques and how you can overcome them. 
  • How anti-debugging techniques work, and how to identify these techniques while analyzing malware. 
  • How malware utilizes covert code execution and misdirect techniques to confuse malware analysts and slow down the reversing process. 

Part 4: Defense Evasion

Chapters in Part 4:

  • Chapter 12: Process Injection, Manipulation, and Hooking
  • Chapter 13: Evading Network and Endpoint Defenses
  • Chapter 14: An Introduction to Rootkits
  • Chapter 15: Fileless Malware and Anti-forensics

What you’ll learn:

  • How malware implements modern process injection and manipulation techniques to circumvent defenses.
  • How malware actively and passively circumvents and bypasses modern endpoint and network defenses like EDR/XDR.
  • The basics of rootkits and how they evade defenses. 
  • How always uses living-off-the -and techniques to remain undetected and blend into the environment. 
  • Anti-forensics techniques and how advanced malware hides from forensics tooling and investigators .

Part 5: Other Topics

Finally, Part 5 covers additional techniques and topis that did not fit in well with the other chapters. This section covers topics like obfuscating malware and malicious behaviors via encoding and encryption, how packers work and how to unpack malware, and how to make your malware analysis lab a bit more resilient to evasive malware.

Chapters in Part 5:

  • Chapter 16: Encoding and Encryption
  • Chapter 17: Packers and Unpacking Malware
  • Chapter 18: Tips for Building an Anti-evasion Analysis Lab

What you’ll learn:

  • How malware implements obfuscation and encryption to complicate analysis and hide malicious activity, and how to analyze obfuscated code. 
  • How malware uses packers and crypters, and how to analyze packed malware. 
  • How to configure and tune your analysis lab to help streamline analysis of malware that may be detecting your lab environment.

Pre-Order the Book!

If you decide to legally purchase my book (instead of pirating it), it would be much appreciated. I need to buy beer, a new gaming PC, feed my family, you know, important stuff.

How to pre-order:

  • You can order the book directly from the No Starch Press publisher website. If you order from No Starch, you also can get access to an Early Access version of the book, as well as the finished book!
  • You can order on Amazon. Sometimes Amazon has deals and this may be cheaper, but you do not get access to the Early Access version. Amazon ships to many places in the world, so this is an advantage.
  • There are other sites you can order from as well, such as local bookstores. Just Google “Evasive Malware book”.

If you decide to pre-order the Early Access version of my book, I would love your feedback! If you spot technical errors, spelling and grammar errors, or even if you just want to tell me “It’s amazing!” or “It sucks!”, I want to hear your feedback 🙂 Feel free to contact me via Twitter or LinkedIn.

A lot of love for the infosec community went into this book, so I hope you enjoy it! 🙂

“VBoxCloak” – Hiding VirtualBox from Malware

“VBoxCloak” – Hiding VirtualBox from Malware

Many malware families still use simple evasion techniques for detection of virtual machine environments and malware analysis sandboxes. These simple checks are enumerating things on the host such as processes, certain files and directories, specific drivers and hardware configurations, and registry keys that may give away the presence of a hypervisor. If a virtual machine is detected, the malware may kill itself or perform other evasive actions.

Did you know that many of these simple checks can be completely bypassed by slightly modifying the analysis environment before running the malware? I wrote a quick Powershell script to make these modifications quickly and automagically. Note: This script only supports VirtualBox so far, but will support VMWare in the near future.

The script is very simple. Give it one of several parameters and it will get to work cleaning up your Windows VirtualBox VM and priming it for malware analysis. The changes it makes are as follows:

  • Renames several registry keys that malware typically used for VirtualBox detection.
  • Kills VirtualBox processes (VBoxService and VBoxTray).
  • Deletes VirtualBox driver files.
  • Deletes or renames VirtualBox supporting files in System32 directory.

The script can be downloaded from here.

One popular question I get a lot is: “Won’t making these types of changes, especially to driver files and processes, break or crash my VM?”

Answer: No! The file modifications the script makes are only on the disk. VirtualBox loads these files into memory anyway, so we can freely modify file and directory names without affecting the VM too much. I say “too much” because your VM will likely slow down a bit after these changes are made (especially after terminating VBox processes) and it won’t be as user friendly. The script, for example, will break drag/drop, clipboard, and shared folder settings, but this is a side affect of making your VM more difficult to detect. If you really want to be hardcore reversing evasive malware, you wouldn’t want these features enabled anyway 😉

To run, just invoke the PowerShell script like this:

“Vboxcloak.ps1 -all”

This command will make all configuration changes to the virtual guest system. We can see this in the screenshot below:

vboxcloak-evasive-malware-bypass
VBoxCloak in action.

I tested this script with a few evasive malware samples and it seems to work well, on many occasions. Obviously, it’s not perfect and will not evade all malware anti-analysis checks, but it is a good start when analyzing an evasive sample.

Once again, the script can be downloaded from: https://github.com/d4rksystem/VBoxCloak

Enjoy! Feel free to yell at me when you inevitably find bugs in the script 🙂