Joe Security's Blog
Defeating Sleeping Malware
Published on: 29.10.2012
During some large scale analysis test to optimize our signature sets we detect a sample showing the following behavior:
The sample has started a couple of new processes as well as new service (smss.exe). Joe Sandbox has not found any malicious behavior, except that the "Contains long sleeps" signature has fired.
Sleeping to bypass automated malware analysis system, like Joe Sandbox, is not new but certainly used more these days. Because the malware is executed / analyzed for a short time only, the analysis system misses interesting activities after the sleep.
Basically there are two techniques to circumvent long sleeps:
- Increase the analysis time (do long term malware analysis)
- Dynamically modify the sleep duration
A week ago we have implemented the following new cookbook command:
- _JBShortenSleepsGreaterThan(thresholdinseconds,replacementinsecond)
With Joe Sandbox 7.0.0 all default cookbooks are going to use that command:
Behavior analysis of the sample previously analyzed, by using the new cookbook:
After the 6min sleep the sample injects itself into lsass.exe. The injection technique is highly malicious and a good artifact for detection. In addition the sample starts its communication:
Analysis Report: report-8ebd97ee5f259cb2f1b38da1f1040cf0(1)
Using the _JBShortenSleepsGreaterThan has a big impact on the analysis results.
Sleeps with a long duration are also a good malicious indicator, since most legitimate software do not use it as malware does.
Shorting sleep and wait duration in general is hard. One may implement a sleep with the following techniques:
- for (int i = 0; i < 240; ++i) Sleep(1000); // Waits 240x 1s
- WaitForSingleObject(non signaled Semaphore / Event, 24000)