Tag Archives: windows registry

Top Places for Malware to hide 2017

With most of the commercial anti-virus software vendors using signature based malware classification methods this becomes a bit of a game of creating code that is obfuscated just enough to change the signature to be undetected.  (Shijo & Salim, 2015, p. xx) say, “In static analysis features are extracted from the binary code of programs and are used to create models describing them.”  This is the most commonly used method of detection and obfuscation is the simple work around. Signatures need to be frequently updated to catch the common malware, while malware makers can simply change the obfuscation of the code.  One never catches up with the other. (Shijo & Salim, 2015, p. xx) continues by saying, “The static analysis fails at different code obfuscation techniques used by the virus coders and also at polymorphic and metamorphic malware’s.”  What also fails is the dynamic analysis due to the behavior of a program that is monitored while in execution.  The problem is malware has to be done in a secure environment for a specific amount of time this is a limitation due to the amount of time that it takes to create this maleware.

The first way that malware tries to hide itself is in the windows registry.(AlienVault, 2016) says, “the Windows registry is quite large and complex, which means there many places where malware can insert itself to achieve persistence.” An simple example is the Poweliks sets a null entry utilizing one of the built-in Windows APIs, ZwSetValueKey, which allows it to create a registry key with an encoded data blob, (AlienVault, 2016).  From this point it can hide out and autostart and maintain persistence of many systems.

The second way malware will hide itself is process injection.  This is where the malware hijacks a running process and puts bits of code into it.  (AlienVault, 2016) says, “Malware leverages process injection techniques to hide code execution and avoid detection by utilizing known “good” processes such as svchost.exe or explorer.exe.”

A third example would be physical.  This is where the malware could possibly be stored on the slack partition of the drive.  (Berghel, 2007, p. xx)  says, ” At the sector level, any unused part of a partially filled sector is padded with either data from memory (RAM slack) or null characters (sector slack).”  The location is ideal because the Operating System doesn’t have access to this portion of the data normally.  This can lay dormant and resurface based off of specific commands.

References

AlienVault. (2016, October 3). Malware hiding techniques to watch for: alienvault labs. Retrieved from https://www.alienvault.com/blogs/labs-research/malware-hiding-techniques-to-watch-for-alienvault-labs

Shijo, P., & Salim, A. (2015). Integrated static and dynamic analysis for malware detection. Procedia Computer Science46, 804-811. doi:10.1016/j.procs.2015.02.149

Berghel, H. (2007). Hiding Data, Forensics, and Anti-Forensics. Communications Of The ACM50(4), 15-20. doi:10.1145/1232743.1232761