Evasion techniques in this group are related to network in this or that sense. Either network-related functions are used or network parameters are checked — if they are different from that of usual host OS then virtual environment is likely detected.
Vendors of different virtual environments hard-code some values (MAC address) and names (network adapter) for their products — due to this fact such environments may be detected via checking properties of appropriate objects.
Malware makes a request to https[:]//www.maxmind.com/geoip/v2.1/city/me which normally requires some kind of authentication or API key. To get around this requirement, the malware makes the request look as if it’s coming from the site itself by setting the HTTP Referrer to https[:]//www.maxmind.com/en/locate-my-ip-address and User-Agent to Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0). This trick allows the sample to retrieve the information about IP address of the machine it’s running on.
The response is returned in JSON format and contains information about the country, city, and, most importantly, the organization associated with the IP address. If some “bad” strings are found in the response, malware knows that it’s launched inside some kind of a security perimeter/organization.
Initially this technique was designed for bypassing AV detection. It’s not an evasion technique itself — instead it abuses interesting side-effects after the function is called.
The main idea is to use the determined result of NetValidateName API function call with invalid argument as Server name (for example “123”) for calculating jump address dynamically. This jump usually points into the middle of some instruction to bypass heuristic analysis of AV software. But this technique also has (at least) one side-effect.
If default NetBIOS settings are set in the operating system (NetBIOS over TCP/IP is enabled) the return code is always equal to ERROR_BAD_NETPATH (0x35). If NetBIOS over TCP/IP is switched off then return code is ERROR_NETWORK_UNREACHABLE (0x4CF).
Thus jump address will be calculated incorrectly and it will lead the sample to crash. Therefore, this technique can be used to break emulation in sandboxes where NetBIOS over TCP/IP is switched off for preventing junk traffic generation by the OS.
Note: NetBIOS over TCP/IP is switched off not to generate additional network requests when resolving server IP via DNS. Switching this option off cancels lookup requests in local network.
This technique can be used for detecting Cuckoo Sandbox virtual environment. Malware enumerates all established outgoing TCP connections and checks if there is a connection to a specific TCP port (2042) that is used by the Cuckoo ResultServer.
Signature recommendations are general for each technique: hook the function used and track if it is called. It’s pretty hard to tell why application wants to get adapter name, for example. It doesn’t necessarily mean applying evasion technique. So the best what can be done in this situation is intercepting target functions and tracking their calls.
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.