Dyer Malware Updated to Defeat Malware Sandboxing Solutions

Is this the end of effectiveness for malware sandboxing solutions?

Many organizations have invested heavily in malware sandboxing solutions as a way to detect malware that gets past anti-virus products. For many, this is the most advanced weapon they have for detecting and preventing a data breach. Yet, it now seems evident that enough organizations have these in place for attackers to have noticed and taken a few steps of their own.

Several recent articles have been written about new releases of the Dyer malware. These new versions contain code to detect the number of compute cores it’s being run on. Tests against four non-commercial and four commercial sandboxes all failed to analyze the new Dyre variant.

According to an article in eWeek, “The Dyre malware is currently at the top of the heap of money-stealing malware. While technically an information-stealing program, Dyre is also the foundation of one of the top banking botnets, according to a recent report by managed security firm Dell Secureworks.”

Most computers built after about 2005 use multiple cores on an Intel chip. Malware sandbox systems open malware on a single core for efficiency. This allows the malware to use it’s own detection technique to discover the malware sandbox system and not run if it detects one only one core to avoid detection. This should be seen as the first in what could be a growing list of detections malware may use to stay ahead of sandboxing solutions. Virtualized processes that are unique to these systems can also be used to identify Malware sandboxes.

The Dyre malware’s success at evading sandboxes is just another example of why those companies who’ve invested in these systems can’t count on them as their only defense against APT style attacks. Even as sandboxing solutions become aware of detection and evasion techniques, attackers will push back with innovations of their own.

Highlighting behaviors

All malware at some point makes its presence known through the use of credentials as it attempts to move and gain access to systems and data inside the organization. Exabeam’s user behavior intelligence solution isn’t detectable by attackers because it simply analyzes existing log data. It highlights those abnormal credential behaviors and access characteristics so they stand out against the backdrop of legitimate normal employee activities.