The Threat Intelligence Department of the Security vendor Check Point has released the “Evasion of the Encyclopedia,” a work of reference that brings together all of the information that is relevant to the evasive techniques of well-known families of Malware. On the basis of the data it is intended to be used in IT security, and heads of departments as the first point of contact for this information. In particular, the safety control of the product mix and the platforms in order to identify the types of Malware, and can be recycling. The different categories in the database allow you to search for special techniques and flavors.
The techniques of tax avoidance – or, in English, from the developers of the techniques that play a role in tools for the automatic analysis of suspicious files or Malware Samples in virtualized environments, called sandboxes, to get back to running. In these environments, in a wide variety of artifacts, traditional host systems, for example, in the case of unused files, Registry keys, and system objects, and much, much more. On the basis of these artifacts, Malware can detect whether it is running in a virtualized environment. It is a recognition of this, it will not display any suspicious behavior, it deviates from the detection of the success of (“Escape”). A well-known alternative techniques, for example, a delay in the implementation of harmful content by setting a time limit for litter boxes, the trick-or digital printing methods for the detection of the area of the security of the Hardware.
The Malware can be overcome, and to recognize
The Malware does not recognize, however, that it is running in a virtualized environment, it behaves as usual, it becomes more difficult and the virus, researchers with valuable information about your harmful routines. The purpose of the Evasion of the Encyclopedia is to bring together all of the known methods of detection for virtualized environments, as well as the necessary safety measures. These methods are divided on the project’s web site in different categories, such as file system, Registry, general-purpose operating system, search queries, etc., containing the description of the Evasion technique is a code sample of how to use it, subscriptions, recommendations, to find out-of-the-art, and tables with the characteristics of a specific environment and possible counter-measures. Contributions to the project through Pull requests on GitHub are welcome. More Details can be found in a blog post.
The researchers have also developed our own Open source Tool called InviZzzible that contains the information to be well-known, detection, and evasion techniques, and can be used in order to assess their virtualized environments.