Tinba Banking Trojan Checks for Sandbox Before Launching

[Karamjit]

Simple evasion tactics fool malware analysis systems

Researchers from F-Secure analyzed a new sample of Tinba banking malware that verifies if it is executed in an isolated environment before running its malicious routines.

Malware authors resort to different anti-analysis tactics to make sure that the threat is launched on a real machine and not in a sandbox, which is typically used by security products for automated verification of samples.

Malware monitors window position and mouse cursor movements

The Tinba (short for Tiny Banker) variant discovered by F-Secure features an evasion technique that relies on checking for mouse movement and the active window the user works on.

To achieve its goals, Tinba relies on two APIs, one for detecting the current mouse position (GetCursorPos) and the other for receiving information about the foreground application window (GetForeGroundWindow).

Since automated sandbox systems run in a single window that does not change its position, the malware makes two calls to the GetForeGroundWindow API to verify the current status. If the returned values are the same, there is a chance that it runs in an environment designed for malware analysis and it does not execute the main infection routine.

The calls are made several seconds apart, in order to mimic a real user and thus avoid raising suspicions.

According to the researchers, Tinba starts its activity the moment it detects that the foreground window is changed and mouse cursor movement is identified.

Tinba checks the hard disk capacity

Apart from this technique, the malware also tries to determine if the system is a virtual machine by querying the number of cylinders available for the storage device.

“Basically, this is similar to checking for the disk capacity. Perhaps due to the ease of implementation, it only checks for the number of cylinder on the disk using the ioctl code IOCTL_DISK_GET_DRIVE_GEOMETRY_EX instead of the finding out the physical size of the disk,” F-Secure says in a blog post published today.

A similar tactic is employed by the latest versions of Dyre, also a banking Trojan, which checks for the number of CPU cores available on the computer it runs on. Modern machines rely on multi-core technology, and a system with a single core is either old or a virtual machine.

Despite their lack of complexity, these techniques are efficient ways for malware to fly under the radar and are proof of cybercriminal ingenuity. Also, malware analysis technologies need to keep up with the new trends and integrate features that would thwart evasion efforts.

From: http://news.softpedia.com/news/Tinba-Banking-Trojan-Checks-For-Sandbox-Before-Launching-480314.shtml