Skip to main content

Defending againts malware and stealth techniques

  1. Patches: most worms exploit known vulnerabilities
  2. Signatures: must be developed automatically to keep up
  3. Intrusion and anomaly detection: notice suspicious activity

Antivirus and antimalware

The basic strategy is a signature-based detection: database of byte-level or instruction-level signatures that match known malware.

Other complementary strategies are used:

  • Heuristics: check for sign of infection. For example: where code execution starts, heder size, suspicius code section name, patched import address table, ...
  • Behavioral detection: detect signs of known malware and common behavors of malwares.

Stealth techniques

General stealth techniques

  • Dormant period during which no malicious behavior is exhibited
  • Event-triggered payload
  • Anti-virtualization techniques: modern malware detect execution environment to complicate analysis
    • virtual machines
    • hardawre supported virtual machines
    • emulators
  • Encryption / Packing: encrypt the malicius content using a small routin changing the key at each execution
  • Rootkit techniques: after becoming root on a machine, plant a kit to remain root. Your kit could, for example, make files, processes, directories disappear to hide the attacker. Can be:
    • userland (backdoored login, trojanized utilites to hide, ...)
    • kernel-space (SYS_CALL table, interrupt description table, ...)
    • in bios
    • on firmware
    • in virtualization systems

Virus stealth techniques

Virus scanners quicly discover viruses by searching around entry point.

Entry point obfusctaion

  • Multicavity viruses
  • Hijact control later (after the program is launched), for example overwriting import table addresses or function call instructions

Virus and Worm stealth techniques

  • Polymorphism: change layout (shape) with each infection. The same payload is encrypted with different keys.
  • Metamorphism: create different versions of code that look different but have the same semantics (do the same thing).

Malware analysis

Is an ex-post workflow after the malware has been identifies:

  • reported by someone
  • automatically analyzed
  • manually analyzed
  • antivirus signature developed

Two main type of analysis are carried:

  • Static analysis: parse the executable code. Hight code coverage and works in dormant code but suffers from obfuscation.
  • Dynamic analysis: Observe the runtime behavior of the executable. Low code coverage and do not work with dormant code but is does not suffer from obfuscation.
Back to top