Common Malware Evasion Techniques

June 20, 2017

“We can classify evasion techniques into three broad categories:

Anti-security techniques
: Used to avoid detection by antimalware
engines, firewalls, application containment, or other tools that
protect the environment.
Anti-sandbox techniques: Used to detect automatic analysis and
avoid engines that report on the behavior of malware. Detecting
registry keys, files, or processes related to virtual environments lets
malware know if it is running in a sandbox.
Anti-analyst techniques: Used to detect and fool malware
analysts, for example, by spotting monitoring tools such as Process
Explorer or Wireshark, as well as some process-monitoring tricks,
packers, or obfuscation to avoid reverse engineering.

In the world of cybersecurity evasion, certain terms are popular. Here are
some of the tools and terms used by attackers.

: Encrypts and decrypts malware during its execution.
Using this technique, malware is often not detected by
antimalware engines or static analysis. Crypters are often custom
made and can be bought in underground markets. Custom
crypters make decryption or decompiling even more challenging.
Aegis Crypter, Armadillo, and RDG Tejon are examples of advanced

: Similar to a crypter. A packer compresses a malware file
instead of encrypting it. UPX is a popular packer.

: Connects one or more malware files into one. A malware
executable can be bound with a JPG file, but the extension will
remain EXE. Malware authors usually bind a malware file with a
legitimate EXE file.
Pumper: Increases the size of a file, allowing the malware to
sometimes bypass antimalware engines.
FUD: Fully UnDetectable by antimalware. Used by malware sellers
to describe and promote their tools. A successful FUD program
combines both scantime and runtime elements to be 100%
undetected. We know two types of FUD:
      ––FUD scantime: Protects a malware file from detection by
          antimalware engines before the former runs.
      ––FUD runtime: Protects a malware file from detection by
antimalware engines while it runs.
Stub: Usually contains the routine used to load (decryption or
decompression) the original malware file into memory.
Unique stub generator: Creates a unique stub for each running
instance, making detection and analysis more difficult.
Fileless malware: Infects a system by inserting itself into memory
and not writing a file to disk.
Obfuscation: Makes malware code difficult for humans to
understand. Plain-text strings are encoded (XOR, Base64, etc.) and
inserted into the malware file, or junk functions are added to the
Junk code: Adds useless code or fake instructions to the binary to
fool the disassembly view or waste analyst time.
Anti’s: Sometimes used on underground forums or marketplaces
to define all the techniques used to bypass, disable, or kill
protection or monitoring tools.
Virtual machine packer: Some advanced packers employ the
concept of a virtual machine. When the malware EXE file is packed,
the original code is translated into the byte code of the virtual
machine and will emulate the behavior of a processor. VMProtect
and CodeVirtualizer use this technique.

RunPE: Runs another process of itself in memory”

Source: McAfee Labs Threats Report, June 2017

Polymorphism: “Code that can mutate itself without sacrificing functionality “

Source: Polymorphic and Metaphoric Threats and Your Cyber Future

Fake Metadata: Providing a misleading information, such as: false file timestamp, false Author Name, Exif properties  etc.

Self-Deletion: Deleting the file according to a pre-defined logic condition/s or a trigger/s.

Add comment
facebook linkedin twitter email