Malware Behavior & Functionality
Launcher
A launcher (also known as a loader) is any executable that installs malware for immediate or future covert execution. Launchers often contain the malware that they are designed to load.
DLL Injection
DLL injection works by injecting code into a remote process that calls LoadLibrary, thereby forcing a DLL to be loaded in the context of that process.
APC Injection
Invokes a function on an existing thread. APC's can direct a thread to execute some other code prior to executing its regular execution path.
Local Hooks
Local hooks are used to observe or manipulate messages destined for an internal process.
SetWindowsHook Parameter: lpfn
Points to the hook procedure.
Remote Hooks
Remote hooks are used to observe or manipulate messages destined for a remote process (another process on the system).
What is the first step in malware analysis?
Review any data you may already have about the malware. Do not immediately jump to dynamic analysis.
SetWindowsHook
The principal function call used to perform remote Windows hooking
Keylogging Hooks
WH_KEYBOARD WH_KEYBOARD_LL
Backdoor
A backdoor is a type of malware that provides an attacker with remote access to a victim's machine. Backdoors are the most commonly found type of malware, and they come in all shapes and sizes with a wide variety of capabilities.
Botnet
A botnet is a collection of compromised hosts, known as zombies, that are controlled by a single entity, usually through the use of a server known as a botnet controller. The goal of a botnet is to compromise as many hosts as possible in order to create a large network of zombies that the botnet uses to spread additional malware or spam, or perform a distributed denial-of-service (DDoS) attack.
RAT
A remote administration tool (RAT) is used to remotely manage a computer or computers. RATs are often used in targeted attacks with specific goals, such as stealing information or moving laterally across a network.
Reverse Shell
A reverse shell is a connection that originates from an infected machine and provides attackers shell access to that machine.
AbuseIPDB
An IP lookup tool and database for reporting malicious IP addresses. It is a free online tool.
Snort
An Intrusion Detection System (IDS), that utilizes rules. Rules link together a series of elements that must be true before the rule fires. For example, the specific value of TCP or IP header, the size of the packet payload, certain flags, etc.
Base64 Encoding
An encoding scheme which represents any binary data using only printable ASCII characters, commonly found in malware.
XOR Cipher
An encryption algorithm based on the binary operation eXclusive OR that compares two bits.
Concept: Cloaking Malware
Attackers use existing legitimate resources to cloak malware. For example, a legitimate web server that was compromised and now hosts malware.
Trojanized Binaries
Commonly targets DLL's, the infected DLL will jump to a different location, while a clean DLL would not.
Data Encoding
Data encoding refers to all forms of content modification or the purpose of hiding intent. Malware uses encoding techniques to mask its malicious activities.
Direct Injection
Direct Injection involves allocating and inserting code into the memory space of a remote process. Direct Injection malware injects the malicious code directly into the remote process.
Downloader
Downloaders simply download another piece of malware from the Internet and execute it on the local system. Downloaders are often packaged with an exploit. Downloaders commonly use the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute new malware.
Hash Dumping
Dumping Windows hashes is a popular way for malware to access system credentials. Attackers try to grab these hashes in order to crack them offline or to use them in a pass-the-hash attack. A pass-the-hash attack uses LM and NTLM hashes to authenticate to a remote host (using NTLM authentication) without needing to decrypt or crack the hashes to obtain the plaintext password to log in.
SetWindowsHook Parameter: hMod
For high-level hooks, identifies the handle to the DLL containing the hook procedure defined by lpfn. For low-level hooks, this identifies the local module in which the lpfn procedure is defined.
What internet protocols does malware commonly utilize?
HTTP, HTTPS, and DNS. It is used to blend in and evade detection.
Hook Injection
Hook injection describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications. Malware authors can use hook injection to accomplish two things: 1. To be sure that malicious code will run whenever a particular message is intercepted 2. To be sure that a particular DLL will be loaded in a victim process's memory space
IAT Hooking
IAT hooking is a classic user-space rootkit method that hides files, processes, or network connections on the local system. This hooking method modifies the import address table (IAT) or the export address table (EAT).
Inline Hooking
Inline hooking overwrites the API function code contained in the imported DLLs, so it must wait until the DLL is loaded to begin executing. IAT hooking simply modifies the pointers, but inline hooking changes the actual function code.
Kernel-Based Keylogging
Kernel-based keyloggers are difficult to detect with user-mode applications. They are frequently part of a rootkit and they can act as keyboard drivers to capture keystrokes, bypassing user-space programs and protections.
Keylogging
Keylogging is a classic form of credential stealing. When keylogging, malware records keystrokes so that an attacker can observe typed data like usernames and passwords.
OpenSSL Encryption Strings
OpenSSL 1.0.0a SSLv3 part of OpenSSL 1.0.0a TLSv1 part of OpenSSL 1.0.0a SSLv2 part of OpenSSL 1.0.0a You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html %s(%d): OpenSSL internal error, assertion failed: %s AES for x86, CRYPTOGAMS by <[email protected]>
OPSEC
Operations Security. You should be cautious when analyzing malware from home, if for example, the malware was sent in a spear-phishing email to your company. Running the malware may tip off the malware author that the malware is being investigated.
Process Replacement
Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection. Imitates a legitimate process, often running from an incorrect folder.
Credential Stealers
Programs that wait for a user to log in in order to steal their credentials Programs that dump information stored in Windows, such as password hashes, to be used directly or cracked offline Programs that log keystrokes
Snort rules are composed of what two parts?
Rule Header Rule Options
SetWindowsHook Parameter: dwThreadId
Specifies the identifier of the thread with which the hook procedure is to be associated. If this parameter is zero, the hook procedure is associated with all existing threads running in the same desktop as the calling thread. This must be set to zero for low-level hooks.
SetWindowsHook Parameter: idHook
Specifies the type of hook procedure to install.
Self-Decoding
The most economical way to decrypt data—whether or not the algorithm is known—is to let the program itself perform the decryption in the course of its normal activities. We call this process self-decoding.
Process Injection
This technique injects code into another running process, and that process unwittingly executes the malicious code. Malware authors use process injection in an attempt to conceal the malicious behavior of their code, and sometimes they use this to try to bypass host-based firewalls and other process-specific security mechanisms.
When researching malware, what tactics can you use to remain anonymous?
Tor, VPN's, or VM's. Using a VPN within a VM is a great option.
Privilege Escalation
Using techniques to escalate the privilege level, so that malware can run as Admin or System. Common inidcator strings include AdjustTokenPrivileges and SeDebugPrivilege
User-Space Keyloggers
Windows user-space keyloggers typically use the Windows API and are usually implemented with either hooking or polling. Hooking uses the Windows API to notify the malware each time a key is pressed, typically with the SetWindowsHookEx function. Polling uses the Windows API to constantly poll the state of the keys, typically using the GetAsyncKeyState and GetForegroundWindow functions.