Recently I found a LinkedIn post about mentioning of 'Hal9th' as the computer name and 'John Doe' as the username in windows defender anti-malware sandbox. If the malware goes into the windows defender sandbox or emulator, the environment gives the feeling there is an user and a machine. In the normal scenario, malware does exhibit the behaviour. In terms of anti analysis or sandbox aware techniques, the malware can employs the technique to detect this condition of "if computer name==Hal9th or user name==John Doe" then it exit the process; which in turns no behaviours captured.
Referene: https://www.linkedin.com/posts/sheik-mohamed-4b49b231_if-a-malware-checks-for-the-machine-name-activity-7353790068542631949-9HZ8
And I really liked the reference to '2001- A space odyssey' which is a brilliant movie and if we rank the movie on science or space exploration, this one will be ahead of interstellar.
Typically, a malware authors know the AV environment as like a malware researcher. So that they able to play the game as far as they can.
Post by
No comments:
Post a Comment