In this discussion, I'd like to talk little more about Malware in detail. I hope that this short tutorial is useful for you. I'm not going to tell you what Malware is and how to make it, because (almost) all of you know that Malware is malicious software and that it's created with advanced programming techniques.The main difference between standard software and malware is it's real intention. There are many people who are motivated to write a virus or an advanced type of malicious software that will serve bad purposes. Motivation usually stems from many reasons including: making automated money, having control and access to secret data, or simply proving something to someone.
Malware SymptomsIn most cases, when your system gets infected with some kind of malware, you might see some strange symptoms, which indicate that something's wrong with your device. The usual symptoms are:
- Unknown or strange error messages
- Slower workflow, greater processor usage
- Unusual behavior of your software or hardware
- Downloading/uploading files from/to something
- Changed permissions
- Changed files, folders
- Installed extra software
- New startup entries
- Encrypted files that were not encrypted by you
- And everything else that seems suspicious...
The real question after this list would be: How do we know that it's the malware and not something else?The real answer: We don't know for sure, but we can try to find out.
Checking for MalwareFirst, we'd like to check our processes list and see what's going on. Press CTRL+Shift+Esc and from the tabs, choose "processes." You'll see a list of processes that are running in real-time (now), but you must see if they are the real files. First, look for some suspicious process names (for example: word.exe, but you don't use word application). Then, open up any internet browser and search for the name of the process and details related to them. You can check process manually this way or you can download a tool with the name "Security Task Manager" from Neuber Software, which helps in the prediction.If we're sure that a malware file still exists on our system, but we can't find it in the process list, the next step is to install an antivirus software, which will try to find the malware and hopefully remove it. I'd suggest MalwareBytes, which is my preferred antivirus program and is really good at removal of malware viruses.You should also be aware that there is some malware that's so advanced and stealthy, it doesn't produce any symptoms. It's usually developed for purposes like global security and can't be removed or detected.Also, every device has that type of "good malware" which protect us from abuse.
Malware EvasionFor our "everyday" malware, I'd like to list some Evasion techniques. To evade detection, during and after installation, malware uses five main techniques:
1) Wrapping: This process attaches the malicious payload (the installer or the malware itself) to a legitimate file. When the legitimate file is installed, so is the malicious payload (which usually installs before the legitimate file does). Using static signatures to detect wrapper files is largely ineffective as new ones are easily and regularly created and often generates false positives. This technique is commonly used by Windows and OS X malware distributed via pirated software and P2P networks. IceFog is a well-known malware commonly wrapped with a legitimate-looking CleanMyMac application and used to target OS X users. On the Windows platform, OnionDuke has been used with legitimate Adobe installers shared over TOR networks to infect machines.
2) Packers: These software tools are used to compress and encode binary files, which is another form of obfuscation. At runtime, the packer, which is typically embedded with the malicious binary, will "unpack" the payload into memory and execute it. There are a handful of common packing mechanisms in use today such as UPX, PECompact, Armadillo and others. These techniques are extremely effective at circumventing static signature engines.
3) Obfuscation: This involves modifying high level or binary code it in a way that does not affect its functionality, but completely changes its binary signature. Obfuscation was originally used to protect legitimate software against reverse-engineering and piracy. Malware authors have adopted the technique to bypass antivirus engines and impair manual security research. Using XOR encoding is one way to do this. Hiding process and file names, registry entries, URLs and other useful information can significantly slow down the investigation/reverse engineering of new malware samples.
4) Targeting: This technique is implemented when malware is designed to attack a specific type of system (e.g. Windows 7), application (e.g. Google Chrome) and/or configuration (e.g. detecting a machine not running VMWare tools, which is often a telltale sign for usage of virtualization). Targeting ensures that the malware is only triggered and installed when specific conditions are met, which enables it to evade detection in sandboxes because they do not resemble the host being attacked.
5) Anti-debugging: Like obfuscation, anti-bugging was originally created by software developers to protect commercial code from reverse-engineering. Anti-debugging can prevent a binary from being analyzed in an emulated environments such as virtual machines, security sandbox, and others. For example, the ZeroAccess malware implemented a self-debugging technique in order to block external debugging attempts. Another example is malware attempting to delay its execution (or sleep) for an extended period of time. This is useful for bypassing sandboxing solutions, since these only keep binaries in an emulated environment for a specific period of time before classifying them as benign and releasing them to the network.
ConclusionJust as malware's evasion techniques continue to evolve, so must our security measures. There's much work being done in the industry to move beyond traditional static signature-based security to behavior-based profiling, analytics and real-time information sharing between security solution providers and tools. One thing we've learned from researching the malware techniques described above is the closer we can place security to the targeted asset, the more likely we will be able to detect and stop it.
I am Dragan Ilievski, Bachelor of Computer Science and IT freelancer in many IT areas
