Locky developers have used the break in activity to develop some new features for their ransomware. Locky e-mails came back in full force on 21 June, 2016 and now contain virtual machine (VM) and analysis tool countermeasures.
One of the new tricks involves new encryption of the payload that is downloaded by their Javascript downloaders. This prevents analysis tools from analysing the executable from the network traffic. Once decrypted, Locky now also requires a command line parameter in order to run correctly. This second technique prevents sandbox environments from knowing how to run the executable.
But one of the more interesting techniques exploits a tiny discrepancy between a VM and a real machine.
DETECTION OF VIRTUALISATION
When Locky returned on June 21, we saw that it is now using a new mechanism to detect the presence of a VM. We have not quite seen this specific method previously, although the conceptual basis is not a new one.The malware will calculate how long it takes to perform two Windows API calls, GetProcessHeap() and CloseHandle(). It will then compare the ratio of how long it took to execute the first API versus the second API. This is then compared to a known ratio of at least 1:10 that is more likely to indicate a real machine rather than a VM. On a real system, CloseHandle() should be at least 10 times quicker on average to execute when compared with GetProcessHeap(). However, due to how VM products may virtualise the Thread Environment Block (if they are not using hardware acceleration features) GetProcessHeap() may take a lot longer to execute as compared to a real machine.The APIs have been carefully chosen by the developer of the code, who clearly has a very good understanding of fundamental VM behaviour. The mechanism is not perfect however, and may both fail to detect a VM and also result in some false positives on real machines. This is somewhat mitigated by making 10 attempts to pass the ratio threshold. The Locky developers may be aware of this and willing to lose a certain percentage of real victims in order to extend their possible window in which their malware will remain undetected.
No comments:
Post a Comment