Cybersecurity firm Checkpoint has developed an index of the common malware methods used to avoid analysis
The wiki includes the file system, directory, general OS requests, regional OS objects, user interface items, operating system features, systems, network, GPU, configuration tables, keys, devices, and macOS-specific sandboxes.
Checkpoint now plans to add pacing, Windows Management Instrumentation (WMI), and human behavior-like strategies for evasion. The organization has developed a GitHub account where experts would be able to contribute to the article.
-category of evasion contains a method definition, code examples, signature guidelines for detecting attempts to use the technique, a table showing the form of environments to be monitored, and countermeasures.
Many devices that illustrate these methods of deception are already available to the public as open-source. Checkpoint, however, also launched its open-source platform, called InviZzzible.
Cybersecurity firms often use automated tools to evaluate samples of malware and its actions, and creators of malware have become extremely good at identifying these forms of virtual environments.
Many pieces of malware are programmed to either stop working entirely or behave differently when an environmental inspection is encountered. On the other side, Defenders have to work on improving their monitoring tools to fool malware into thinking it is operating on a standard computer.