The Dyre family of banking malware is back in the news after researchers recently observed that the malware incorporated tricks to avoid detection in malware sandboxes. Previously, Dyre was most notable for targeting high-value bank accounts, including business accounts, and incorporating sophisticated social engineering components to overcome the 2-factor authentication used by most banks.
In this latest twist, the Dyre malware aims to identify when it is being run in a malware sandbox by counting the cores of the machine on which it is running. The trick, in this case, is that many malware sandboxes will run as a virtual machine with only a single processor and single core in order to conserve resources. Malware sandboxes have to analyze a very large number of files, so each virtual machine often gets provisioned with a bare minimum of resources in order to run as many VMs as possible.
To be fair, counting processor cores is only one of many techniques that malware regularly employs in order to detect and evade sandbox analysis. In addition to counting cores, malware will often look for artifacts in process names or in registry entries that can give away the presence of a virtual machine. In addition, malware can check for other more obscure environmental indicators such as predictable data structures or even the initial memory addresses of CPU registers.
Malware can also take more proactive steps such as looking for mouse movements and other signs of a real human user interaction with the host. In the same way that websites use CAPTCHAs to try to avoid automated bots, malware has begun using its own Turing tests to avoid detection by automated sandboxes.
All of these techniques are really just the tip of the iceberg in an ongoing cat-and-mouse game between malware authors and security researchers. Security solutions will continue to automatically test malware and malware will continue to try and game their tests.
Evolving beyond the ongoing cat-and-mouse game is precisely why many organizations are evolving beyond the sandbox in their search for threats and incorporating the real-time analysis of their internal network traffic. While sandboxes are valuable tools, we always have to remember that they are highly artificial environments with a very limited time horizon. A simulation is never a replacement for understanding the ground truth of your actual network traffic. And while it may be the last line of defense, the real target network is the only place where you are certain to see the true behavior of a threat. Sooner or later, attackers have to stop faking it and pursue their actual target.
Furthermore, a persistent attack is larger than a single piece of malware. The malware is a tool in the attack, but the attack itself almost always spans multiple devices, multiple malware payloads and leverages multiple components and tools in pursuit of more strategic goals. This is why Vectra combines first-hand inspection of live network traffic with data science that tracks and correlates malicious behaviors over time and across multiple devices in the network.
Simply put, the more that we examine the real-world network traffic for attacks, the more likely we are to find real-world attacks.
Gartner has published the report Cool Vendors in Security Intelligence, 2015. Vendors in this report, including Vectra, were chosen because they offer highly innovative technologies that address an organization's demand for data-driven analytics, techniques in obfuscation and deception, and advanced detection solutions. Get the report>