Sign in / up

back to article Nasty Dyre malware bests white hat sandboxes

Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Just remember what seculert do...

    Although I have nothing particular against Seculert.... if you've seen their presentations and marketing material, they effectively advocate that virtual sandboxing of malware (a la FireEye) is not effective and that their surveillance of your egress network flow is a better way to detect malware. This is just a way to drum up their product.

    1 0 Reply
  2. The Man Who Fell To Earth Silver badge
    Boffin

    More to the point

    Being able to detect that one is operating in a VM is not new to malware.

    Red Pill, developed by Joanna Rutkowska, is an example of a technique to detect that one is inside a VMWare and MS VirtualPC virtual machines. More generic tests, such as counting the time taken to execute two instructions, can also be used to tell software it's inside a VM.

    A fair amount of malware checks to see if it is in a VM, and stops if it is. It's a technique to make it more difficult for security researchers to study the malware.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: More to the point

      So why not run our browser in a virtual machine then ?

      7 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: More to the point

        Perhaps better/worse, why not run each tab on one virtual core?

        0 0 Reply
    2. Tom Chiverton 1
      Reply Icon

      Re: More to the point

      Except, see 'blue pill' :)

      0 0 Reply
      1. The Man Who Fell To Earth Silver badge
        Reply Icon
        Boffin

        Re: More to the point

        Yes, Rutkowska also developed "Blue Pill", that uses hardware virtualization to move a running OS into a virtual machine. (i.e. Could be used by malware to run underneath the OS.)

        0 0 Reply
        1. Destroy All Monsters Silver badge
          Reply Icon

          Re: More to the point

          Could be used by malware to run underneath the OS

          Nothing of particular practical applicability ever came of that, mind.

          0 0 Reply
  3. joed

    fight fire with fire

    from recent articles it appears that using virtual environment (one core for best results) is the easy way to avoid malware on systems that deal with confidential information (barring common sense that is).

    0 0 Reply
  4. MarkSitkowski

    Simple solution?

    All this crap is written to run on Intel hardware. Run confidential stuff on a Sun, IBM or HP box - it'll give you a decade or so of security before the parasites learn to write SPARC assembler.

    4 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Please Check HCL

    I'm sorry, your hardware does not meet the minimum requirements to install this malware, please consult the Hardware Compatibility List and upgrade.

    6 0 Reply
    1. PJF
      Reply Icon

      Re: Please Check HCL

      TY for the grin!

      0 0 Reply
  6. patrickstar

    Amateurs. The proper thing for malware to do after detecting it's being sandboxed/virtualized/analyzed is, of course, not to exit immediately but rather go on and do completely innocent things. Early exit kinda means you have something to hide, and sticks out like a sore thumb in analysis logs.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like