8/17/2019 How Does Malicious Software Conceal Itself?

1/1

How does malicious sof tware conceal itself?

1 Infiltration  Malware code is disguised orobfuscated in order toprevent detection by anti-virus or anti-malwaresoftware operating on thetarget system. 

Basic encryption Basic and easily cracked: XOR encoding, Base64 encoding, ROT-13 cipher encryption

Oligomorphism Malware code is encrypted in one of a few pre-determined methods.

Polymorphism Malware code is encrypted in a different method for each victim, which affects the sizeand/or shape of code.

Metamorphism Malware code is different every time it is propagated to a new victim –

 the techniquesused in polymorphism are applied to the code itself.

Debugger detection Malware is able to detect when it is being ran within a debugger, and hide functionality.

Binary packing A packer, or compression engine, is used to compress code and prevent static analysis.

2 Operation  The running or operation ofmalware is disguised in orderto prevent detection andremoval by anti-virus or anti-

malware. 

User mode root kit Replaces binary files from legitimate applications with malicious files; they can also hijackprograms and perform malicious acts on their behalf.

Kernel root kit The kernel is the core of the operating system, and programs run on top of this. Therefore,the anti-malware software (also running on the kernel) is unable to detect the root kit. Thiscauses instability on the target machine.

Virtual machine root kit Virtual root kits place themselves on top of the boot loader, and then boot the targetoperating system within themselves, in a manner similar to a virtual machine. Theytherefore control all data flowing from the OS.

Boot kit This allows an attacker to infect start-up code like the Master Boot Record (MBR), VolumeBoot Record (VBR) or boot sector, and in this way, can be used to attack systems with fulldisk encryption.

Firmware root kit These are embedded within the firmware of devices such as network devices, and the rootkit is therefore available for as long as the device is. Attempts to delete the software resultin reinstallation on next reboot.

3 Exfiltration  The communication betweenmalware and command &control servers is disguised toallow free movement of data,for example financialinformation, PII, or intellectualproperty. 

Email Use of Outlook mail forwarding options, or sending of mail over SMTP

HTTP(S)/FTP Use of standard file transfer ports for traffic transfer, or of HTTP POST

SSH tunnel Encrypted SSH services such as SFTP and SCP (Secure Copy)

IRC messaging Use of IRC Direct Client Connect (DCC) SEND sub-protocol

Bluetooth/Wi-Fi Attacker can exfiltrate data to nearby devices/APs under their control

Cloud services Use of cloud storage service to upload and store data anonymously

DNS tunnelling Use of UDP DNS requests for subdomains with data in the subdomain