Back in the day of Windows 95, 98, and (ugh) ME, I vividly remember getting malware on my machine a handful of times. Each time usually involved the computer slowing down to a crawl, strange popup and error messages about files coming up which were usually DLLs, and just all around obvious and suspicious behavior. Mind you, I was apparently “technically inclined with computers” as a child, but come on, these were all symptoms which were easily observable by anyone who spent a few days on computers to notice the different behavior.
Yes, there is malware out there that is designed to simply destroy or “brick” computers, show ads, and display ransom messages, but there are also backdoors, rootkits, trojans, keyloggers, and other malware that prefers to remain silent and undetectable so that it can do things such as capture passwords, credit card numbers, personal information, steal photos, videos, and documents, give an attacker control of the computer or view of your screen and even your face via a webcam, etc… The above problem of the previous decade made it somewhat difficult for attackers to accomplish this for any length of time.
However, with current computing power and sophisticated malware, it is very possible for the malware to be running indefinitely in the background and never be detected or for it to take a significantly longer time period before it is detected. Part of this is because modern computers are faster and have more memory, allowing them to execute more programs simultaneously without any perceivable performance hit. It is important to note though that most “casual” malware can be detected with products such as Malwarebytes, Avast!, Symantec, and McAfee. However, if a custom-made and highly specialized targeted attack is made, this may not be the case.
In my quest to learn as much about malware as possible, I’ve been working through the labs in Practical Malware Analysis by Stephen Sikorski while simultaneously reading Practical Reverse Engineering by Bruce Dang, as well as blogs such as Malwarebytes, Cylance, BleepingComputer (gr33tz Catalin!), hasherzade, and a scary lot more than I have space for here. In this post, I will be outlining several methods in which I’ve encountered in which malware tries to hide itself from both the user and malware analysts:
- Hooking – Malicious code is stored in a library and a legitimate program is modified such that it calls the malicious code library in place of a legitimate one
- Common Object Model (COM) calls – These can mask away any easily recognizable strings related to function calls in the binary
- Installing themselves as services – Allows for slightly more difficult detection and benefit of autorun on startup
- Entry point redirection – Modifying a file’s entry point address so that it first executes some malicious code before (possibly) being passed into it’s original, legitimate entry address.
- Utilizing cryptography in order to hide telltale signs of the malware or one of its behaviors – for example, encrypting email addresses and web addresses so that they do not appear as strings in the disassemblies
- Ensuring automatic startup on bootup – This puts the malware into a position of advantage and allows it to continue its undetected behaviors
I will be writing one blog post on each of these methods, because if I were to demo every single one with screenshots, this article would be far too long. As I finish each post, I will link them in the above list so that this post can serve as a “table of contents” of sorts. Note that I may also modify the list if I want to introduce other methods as I discover (or remember) them.