Hello, welcome to the Monday, December 12, 2016 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from Washington, D.C.

If you're interested in Malware Analysis, you probably realize that there is an ongoing game of

countermeasures and counter-ounter measures between Malver analysis

and Malver authors.

DDA has a nice example of one of those tricks.

Now Malware, when you analyze it, one of the simple ways to analyze Malware is just to run

it for a while.

Melva authors, of course, realize that, and they will just delay any actions for a while

in order to escape detections.

Because the analyst, for example, would like to figure out what are additional components

the Malware downloads.

Well, if the malware waits long enough, then the

malware analyst may miss those additional downloads. Then, of course, the analysts started to

accelerate the system clock on the system they're using to analyze the malware. Well, the next

step, and that's something DDA is talking about,

and he has seen that now even in some of these visual basic script samples that he was analyzing.

The malware will just look for an external time reference, like an NDP server,

try to connect to it, and then try to figure out how much time expired in real life compared to the

system time that way it will be able to first of all detect a large skew in system time but it will

also then just detect what the real time elapsed is and based on that again delay execution of course you can

still statically analyze the malver but that tends to be more labor intensive and time consuming

...