Malware – The game of cat and mouse

Malware writers and malware researchers play a constant game of cat and mouse - one where the former consistently have the upper hand.

While there is some overlap, malware evasion techniques can be broadly categorised into 3 main areas with 3 main goals:

• Egress bypass (Exfiltrate) – bypass controls to communicate to an external command and control (C&C) server, to pull new commands and push data
• Researcher bypass (Stall) – slow down methods to reverse engineer and defend against malware, extending the window where the malware can exist in the wild
• User bypass (Persist) – bypass user based controls such as anti-virus (AV), operating system (OS) controls or generally evading the user to avoid detection

These categories can be broken down into specific sub-components:

Egress bypass (Exfiltrate)

• Script fragmentation – request commands in small chunks as opposed to one larger request
• HTTP pull – pulling a resource from some innocent domain – such as a legitimate image file which contains an encoded payload
• HTTP DNS resolution – resolving DNS information via some http service – such as extracting no-ip domain information from some HTTP based DNS resolver
• Peer-2-Peer (P2P) push/pull – Communicating via an inter-malware network using trust algorithms to push/pull commands and data
• Encrypted/obfuscated protocols – Using either standardised or proprietary encryption methods to communicate via a secure channel
• Hooking Application Programming Interface (API) calls – injecting into trusted processes such as web browsers to make requests

Researcher bypass (Stall)

• Anti-Virtual Machine (VM)/debugging/disassembly techniques – applying techniques which cause the malware to change its behaviour in a VM or refuse to open in a debugger
• Domain Generation Algorithms (DGA) with misleading call backs – utilising a DGA to potentially poll 10k domains across 15 top level domains (TLDs) where only one is required to give valid information or others reply with deceiving data
• Obfuscated code – standard stalling technique

User bypass (Persist)

• Server/Client polymorphic algorithms to bypass signatures – using polymorphic algorithms to mutate code areas to bypass AV signatures and heuristics
• Direct hardware access – bypass, change or piggyback OS controls by modifying the behaviour of core parts of the OS, particularly aiming to infect into kernel mode (Ring 0)
• Sleeping – once infecting a machine sleeping for some predetermined amount of time
• Man in the Browser (MitB)/Web Injects/Session Redirection – Injecting javascript into legitimate pages to discretely steal session information from trusted websites
• Digitally Signed – using legitimate stolen encryption certificates to sign malware as whitelisted/trusted software

Recent Posts

• 27 Sep 2022 Writing Small (Reverse) Shellcode
• 21 Jun 2022 Shared section code execution
• 10 Jun 2022 Obfuscating shellcode entropy