Malware Authors Employ Variety to Evade Security Detection

In the McAfee Labs blog we have covered many techniques that malware uses to evade code-based detection. In my previous blog I discussed procedure prologue and procedure epilogue techniques to evade security systems. We recently came across one more set of fake-alert samples that use a different technique to evade detection. This technique is related to the dynamic loading of a library at runtime.

Dynamic Loading

Dynamic loading is a mechanism by which a program loads a library into memory at runtime so that the addresses of the functions and variables contained in the library can be executed or accessed. Dynamic loading is done using an API LoadLibrary, which takes a string argument (the name of the library to be loaded).

The following screenshot is a typical LoadLibrary code with argument.

 

Legit_Way_Test

A typical LoadLibraryExA API code with argument.

The preceding pattern can easily be identified by both behavior- and code-based detection. That’s why we now see different ways of passing the argument to the LoadLibrary API in some fake-alert malware families. The following screenshots illustrate four sets of code that serve the same purpose of moving the required argument into the stack.

Kernel_1_Test

First pattern for moving arguments.

Kernel_2_Test

Second pattern for moving arguments.

Kernel_4_Test

Third pattern for moving arguments.

Kernel_3_Test

Fourth pattern for moving arguments.

Malware authors are always searching for new techniques to evade detection, but eventually their techniques are discovered and blocked by security researchers. McAfee detects all the variants that use these techniques.