Notes from SophosLabs is an occasional series looking at some of the tricks and techniques we see in SophosLabs when we take malware apart.
We hope you enjoy it – if there are any topics you’d like us to cover in future articles, please let us know!
This article thanks to Satoshi Tanda of SophosLabs.
We’ve written before about how computer security is something of an arms race.
You defend, and then the crooks figure out what you’re looking for and therefore how to bypass or to trick your defences.
You figure out what they’re looking for and therefore how to outwit their latest tricks.
And so it goes on.
Although most malware samples these days aren’t strictly computer viruses (a special class of threat that spreads by itself), blocking software from the Good Guys is still commonly referred to as an anti-virus.
A counterattack by the Bad Guys that aims to trick an anti-virus is therefore jocularly known as a anti-anti-virus.
Telemetry
One handy mechanism for keeping on top of what the latest malware is up to is known in the trade as telemetry or remote sensing.
That’s a fancy word for “reporting in automatically from afar,” much like modern weather stations do (or, more controversially, like speed cameras and CCTV systems).
Many, if not most, anti-virus programs these days include some sort of remote sensing that optionally feeds back anonymised information about the way your computer or your operating system behaves, both when it’s running normally and when something suspicious just happened.
Provided that the software is circumspect about what it collects, and how it anonymises the data it sends back, it’s possible to build up an ongoing picture of how clean systems behave compared to infected ones, without interfering with privacy.
Unfortunately, what’s good for the gander is also good for the goose, meaning that cybercrooks can use telemetry too.
For many years, for instance, zombie malware has called home with information about the computer it just infected, such as how much memory is available, how powerful the hardware is, and the speed of its network connection.
You can imagine how handy that sort of data is to a botherder. (Zombies are also known as bots, short for robots; a collection of bots is a botnet, short for robot network; and the person who controls the botnet is a botherder or botmaster.)
If you’re the sort of crook who rents out access to the zombies in your botnet to other criminals, it’s handy to know which computers can sustain high network throughput for sending spam; which ones are inside corporate networks and can be used to go exploring; which ones are good for password cracking or bitcoin mining; and so forth.
Enter Gatak
One malware family studied by SophosLabs in recent months has take anti-anti-virus telemetry to a new level: Gatak.
When it runs, Gatak includes this information, and more besides, in its call-home data, packaged into an HTTP (web page) request:
- Creation time of C:\WINDOWS.
- Creation time of the Windows installer folder.
- Creation time of the Windows prefetch folder.
- Creation time of the Windows pagefile
- The computer’s and the current user’s name.
- Creation time of the user’s profile folder.
You may wonder what value this data has to the crooks behind the malware.
The answer is that this information acts something like a fingerprint for the computer that’s just been infected.
If you attack the same computer over and over again with malware from the Gatak family, you’ll keep getting the same answers, especially for the timestamps.
That’s because the folders that the malware keeps track of are created when the computer is first installed and used, and remain unchanged thereafter.
In other words, if the crooks see the same data coming up over and over again in their telemetry database, it’s a good guess that:
- The computer belongs to a company or a user with astonishingly bad luck, and poor security habits, that keeps getting infected by mistake.
- The computer is quite deliberately being used to try out malware, and probably belongs to an anti-virus or threat research company.
In the second case, the computer could be real hardware that gets reimaged between infections, or a virtual machine, or even a purely emulated computer running in a software sandbox.
Most researchers maintain a standard set of operating system images, also known as snapshots, to save the time of doing a full Windows reinstall between every malware sample.
Gatak’s goal is to try to build up a list of researchers’ snapshots.
Gatak also calls home with all currently-running process names.
Once again, malware research computers and sandboxes often include a number of running programs that aren’t found on an average computer because they’re there to keep track of what the malware does when it runs.
Malware writers have long used a list of “telltale programs” that are assumed to be related to malware research, such as WinDbg (the Windows debugger) and Wireshark (a popular tool for monitoring network traffic).
Gatak goes one step further by calling home with a list of which programs are active, so that it can keep track of any new or renamed tools that malware analysts might use in the future.
In this way, the crooks behind Gatak are able to keep track of which computer images probably belong to which computer security companies…
…and therefore to detect them at runtime and behave innocently instead of revealing the true intentions of the malware.
Thus the phrase “anti-anti-virus.”
What next?
The first piece of good news is that Gatak can only detect that it should have stayed hidden after it has started running.
Gatak can exit early to avoid revealing exactly how it works, and what nefarious tasks it would get up to on an innocent user’s computer, but it still gives away something about itself by running at all.
The second piece of good news is that by using a mix of standardised and randomly-modified computer images inside their test labs, security companies can circumvent Gatak’s anti-anti-virus trickery by presenting a moving target.
The third piece of good news is that as Gatak expands its list of anti-anti-virus rules to deal with ever-changing sandboxes, especially as it looks out for more and more suspicious processes, so it reduces the list of innocent computers it can infect.
The Halting Problem revisited
In the same mathematically-provable way that you can’t write a perfect anti-virus program (whether you use signatures, identities, machine learning, Bayesian filtering or magic pixie dust)…
… you can’t write a perfect anti-anti-virus either.
Indeed, if you’re trying to hide from anti-virus programs by detecting them and behaving differently, like Gatak does, you’ve programmed in a whole class of unusual behaviour that acts as an anti-anti-anti-virus all of its own!
Wilderness
Fantastic, RE the third piece of good news: The more ways they check for VMs, the more ways we can prevent that software from running on production machines by tweaking things.
Sam
If these viruses are going to so much trouble to avoid sandboxes– couldn’t an effective anti-virus solution be to set flags or start false processes to make viruses think normal users are sandboxes? This might get too close to causing software conflicts but would be a funny back-atcha.
Paul Ducklin
The term you may hear for this sort of trick is “immunisation,” where you trick the malware into thinking it’s already running, or get it to decide that it can’t run, or cause it to crash before anything bad happens.
It was a good trick when there were comparatively few viruses but some were enormously widespread – if you could block even one of those permanently, it was worth it. Example: the “Fun Loving Criminal” or FunLove virus of 1999 was a global problem, spreading round and round in circles. It created a file called FLCSS.EXE in the system folder…except that if a *directory* called FLCSSS.EXE already existed, the virus would crash and you were home free.
As you say, it doesn’t always work…the immunisation might interfere with legitimate software, or immunising against malware X may be incompatible with immunising against Y. An old-school example is that a lot of DOS viruses marked a file as already infected by adding some magic-marker bytes at the end. If X looked for files ending “VirX” but Y looked for “IamY”, for example, you could only immunise against one at a time.
Rick H
Assuming that the ‘bad guy’ looks for processes/programs unique to an investigator’s computer/system, why not have the anti-virus program ‘spoof’ those programs as running as another layer of protection against the bot or infection?
Paul Ducklin
As mentioned above, this can work…although it gets out of control pretty quickly if you try to do it for every malware variant out there, especially if you have to allocate system resources for each one (e.g. start a special process, create a specifially-named mutex, add a particular registry entry).
Bryan
I read the list of checked timestamps and thought “Simon says put UnxUtils ‘touch’ into a startup script” then read this…
“security companies can circumvent Gatak’s anti-anti-virus trickery by presenting a moving target”
…yep
Paul Ducklin
It’s nice to randomise your analysis environments for this sort of thing; it’s also nice to have unchanging ones for repeatable testing…
…so you basically need to do both.