logoalt Hacker News

tharkun__today at 12:42 AM2 repliesview on HN

And if every malware developer worth their salt now introduces code to "wait out" that period of time, we're back to square one.

This assumes that they employ clandestine enough techniques that you have to actually install, wait and observe the behavior for longer than the cooldown period in order to detect this, because the code is "obfuscated" enough to evade static analysis of the code. It's anti-virus / anti-anti-virus 101 all over so to speak.

The good thing I suppose is that it raises the bar. Your regular "virus generator" script kid (sorry: supply chain attack generator script kid) can no longer pull this off.


Replies

tedivmtoday at 12:53 AM

Most automated analysis isn't dependent on just behavior, but rather suspicious things in the code itself. You have a popular open source package with files that exist on pypi but not github then that's a big flag, or if a similar package suddenly has some base64encoded garbage that runs through an obfuscated exec call. In other words the simple fact that the project has obfuscated code is enough to flag for further attention.

That said if the only issue is time, researchers will just run their automated analysis through machines with dates in the future alongside their normal tests.

show 1 reply
woodruffwtoday at 12:49 AM

Fundamentally, this is a cat-and-mouse game. But I suspect that "time bomb" techniques aren't economically viable for attackers, at least not with current patterns: current attackers demonstrate "smash and grab" tendencies because they know their access is limited anyways. Attempting to wait out a cooldown exposes them to additional detection risk.

Of course, maybe the attacker profile changes over time. But that's the nature of the game.