Cops & Robbers: The Battle over Office-Based Malware
By BUFFERZONE Team, 6/11/2017
For years, cybercriminals and the cyber security establishment have been playing a kind of game of cops and robbers, with the criminals usually staying one step ahead. Any time security software begins being able to identify new malware types and protecting against them, the hackers introduce a new evasion technique designed to circumvent the security products. Here we’ll review some of the evasion techniques used by malware based in MS Office files, focusing on the techniques used to evade automated dynamic analysis tools.
Office files, such as Word and Excel documents, have long been a popular attack vector for malware. Due to their widespread use, receiving Office documents by email and other ways is a common occurrence that is often perceived by users as legitimate and harmless. These behavior patterns provide attackers with ample opportunities for social engineering campaigns whose aim is to get users to open the documents.
Office applications include their own internal scripting language – Virtual Basic for Applications, or VBA. VBA scripts, or macros, can be saved inside documents, waiting to run when the documents are accessed. The macros can in turn execute commands and scripts outside the application, and the malicious payloads can perform any kind of attack, such as ransomware or bank account identity theft. Since 2007, Office applications disable macros by default; however, accompanying instructions – for example, in an email message – often instruct users to enable macros, with plausible-sounding explanations why this is necessary.
The Basics: Signature-Based and Static Code Analysis
Once a malware strain is identified, it can be caught by classical signature-based antivirus and antimalware tools. However, changes to malware packages easily circumvent these tools, requiring organizations to implement analysis tools that attempt to identify new, previously unknown malware.
One type of analysis that is used to identify malware is static analysis of a file’s content. Static analysis analyzes actual code lines found in files, without actually running the code, and tries to understand what the file could potentially do. For many suspicious files, only binaries are available,
not readable code; but in the case of Office file VBA, the code lines themselves are generally available to scanners.
However, malware writers employ various techniques to evade static analysis. Some of these techniques are:
- The Office file may be password-protected, with the password supplied to the user in an email body, in which case automated systems will not be able to read the code at all.
- The writers heavily obfuscate the code, sometimes running to thousands of lines of almost unreadable code, only a small portion of which defines its actual functionality.
- Actual malicious payloads may be offloaded to external packages that are downloaded and/or called by the VBA, sometimes in a chain of
several stages involving different files, some of which may be binaries that are not easily analyzed.
This makes it difficult for automated analysis tools to understand the code’s full scope of activity.
Because of these limitations, static analysis results are often limited to technical details such as metadata, hashes, etc. and do not provide actual full understanding of files’ potential effects.
Getting Real: Dynamic Analysis
To complement static analysis, or as an alternative, organizations are increasingly making use of dynamic analysis tools. These tools actually run suspicious files in secure, isolated environments (sandboxes) to test their effects. Various sandbox solutions provide cloud-based or on-premise automated analysis, enabling organizational systems to submit suspicious files for analysis.
Dynamic analysis, while more difficult to implement, has a significant advantage over static analysis: it doesn’t require error-prone analysis of complex and intentionally obfuscated code, since it’s only interested in actual results of running the files under analysis.
However, cybercriminals are successfully introducing techniques that evade dynamic analysis as well. These include:
- As we mentioned before, the Office file may be password-protected, with the password supplied to the user in an email body.
This technique blocks any kind of automated analysis, static or dynamic. However, it is not always preferred by malware authors, since it creates an additional obstacle to the malware being able to actually run.
- The VBA macros use various fingerprinting techniques enable to attempt to identify sandbox environments, and the malware acts only if such
an environment is not found. As a result, dynamic analysis systems may be fooled into thinking that the file being analyzed produces no
Sandbox fingerprinting techniques may include:
- Using Windows Management Instrumentation (WMI) to identify processes typical of known analysis systems or virtual environments
- Checking the current user account for user names known to be associated with analysis tools
- Checking the current IP address for geographical data known to be associated with cloud analysis products
- Using Alternative Data Streams (ADS) to check if the file’s recent usage history is consistent with the scenario of an individual user
receiving and opening it
- The malware uses various stalling techniques such as calling looped sleep functions or other looped benign commands to delay the malicious
activity, fooling the analysis systems into thinking that the macro has already finished its activity.
- Most recently, some VBA malware has been found to trigger its execution on the document being closed, taking advantage of VBA’s ability to
define an action upon the document close event. For example, the well-known Locky ransomware was found packaged in a Word document that
only activated the malware upon the AutoClose event.
As these evasion techniques are developed by cybercriminals, various security products react by introducing appropriate countermeasures, closing each gap sooner or later. Competing security vendors announce their evasion countermeasures as they implement them, hoping to convince security-conscious consumers to prefer their products.
Are We Secure?
If there’s one thing that this constant cat-and-mouse game illustrates, it’s that there’s always another evasion technique on the horizon that security vendors haven’t thought of yet. Perhaps it’s time to change our way of thinking and adopt a new security paradigm.
Isolation and containment products such as BUFFERZONE do the same thing regardless of specific techniques applied by malware coders: any possible downloaded or externally accessed files are kept on endpoints in a virtual container, along with any possible processed started by or from those files. Contained processed cannot reach native endpoint or organizational resources, and so can’t inflict any lasting damage. Periodically, the container is wiped clean along with any possible malware.