blog.martino.im

08.Malware

3 min read

Malware

Malware violates security policy and can be classified in three types:

  • Virus: self-replicates but needs a host program.
  • Worms: spread through vulnerabilities or social engineering.
  • Trojan: looks benign but has a hidden malicious program and allows remote control.

Virus obfuscation techniques

  • Metamorphism: ability to produce different versions of itself. It’s often achieved by adding random dead code, such as useless assembly commands, like nop or addi eax, 1 that serve no purpose in the code. If the provided assembly code contains such dead code, it is likely that metamorphism was used. If the traces of the same malware differ between different runs, and here’s no “mutation engine” (typical of polymorphism) in the code, then metamorphism is evident.

    • inserting nops
    • reordering sections
    • inserting useless instructions

  • Polymorphism: ability of malware to encrypt and decrypt itself. Useless assembly commands, once decrypted, can reveal actual working malware. Often this malwares repeatedly perform XOR operations on data in memory and stores it elsewhere. Encrypt and decrypt at each time the malware with a different key is useful since it’s like there are multiple versions of the same code with the same semantic.

  • Dormant Period: strategy to do nothing for a specific period of time, using long loops or commands like sleep(10000);.

  • Event Triggering: malware that runs an infinite loop, continuously checking the response received from a specific domain or a specific event.

Virus evasive techniques

  • Anti- virtualization: Generally to analyze malware, it can be launched in an isolated virtual machine to observe its behavior. Some malware may have techniques to detect virtual machines, such as by checking environment variables.

Analysis techniques

Theoretically anti-malware software cannot directly detect if a virus can spread or not. Therefore, they use a blacklisting approach to block known malware samples. These results are basically derived from the Halting Problem.

Two main ways of analyzing malware:

  • Static Analysis: “manual” analysis generally used for dormant-code and anti-virtualization cases. For example in case of a sleep function with 0x1000 as a parameter, then we have to wait for at least 0x1000 seconds in order to see the true behavior of the malware.
  • Dynamic Analysis: it’s used to “automatically” find relevant information of the malware, such as syscalls, calls to library functions, unpacked instructions executed, and we can feed this information to heuristics or ML algorithms to detect the malware.

Best practices

  • Polymorphism dynamic analysis
  • Metamorphism dynamic analysis
  • Trigger based/Dormant code/anti-vm static analysis

Graph View

Backlinks