Security scientists have uncovered a distinct solitary bit (Lure Flag) in the Intel CPU sign up that malware can abuse to evade sandbox detection.
In accordance to scientists at Palo Alto Networks’ Device 42 menace investigation team, malware can detect no matter if it is executing in a actual physical or virtual device (VM) by checking the reaction of the CPU soon after placing this solitary bit.
Malware usually avoids detection by examining if it is remaining operate in a virtualized “sandbox” natural environment set up to safely and securely review potential malware. When the malware finds out it is executing in a digital machine, it will terminate its execution or provide pretend outputs to hide its authentic intentions.
In this instance, to detect VM use in a sandbox, malware could test the CPU’s conduct after enabling the trap flag. This is the eighth solitary little bit in the EFLAGs sign-up of the Intel x86 CPU architecture.
If the entice flag is enabled just before a solitary instruction is executed, the CPU will increase an exception (single-action mode) soon after the instruction is completed. This exception stops the CPU execution to permit the exception handler to examine the contents of the registers and memory place. Prior to permitting code execution to continue, the CPU need to also very clear the lure flag.
“To determine regardless of whether a VM is applied, malware can examine irrespective of whether the solitary-move exception was sent to the correct CPU instruction, immediately after executing distinct directions (e.g. CPUID, RDTSC, IN) that bring about the VM to exit with the TF enabled. Through VM exits, the hypervisor – also identified as Virtual Machine Keep an eye on (VMM) – will emulate the outcomes of the bodily CPU it encounters,” stated scientists.
Researchers also said there was an ongoing cat-and-mouse video game involving malware authors crafting evasion techniques to protect against helpful analysis and sandbox authors studying novel approaches to defeat individuals evasions.
“This is one of the main motorists that led us at Palo Alto Networks to make our have customized hypervisor for malware assessment. Due to the fact we have complete control over the program stack, which includes the virtualization layer, we can react to new and emerging threats,” stated researchers.
“In this specific circumstance, at the time we experienced determined the issue with the incorrect emulation of the trap flag, our hypervisor workforce was ready to check and deploy a deal with.”
Scientists have given that been ready to correct this evasion difficulty for any malware sample by deploying this strategy.
Some pieces of this write-up are sourced from: