The second part of my project revolved around researching how malware attempt to disguise itself from antivirus systems. I once again completed this by reading through articles and blog posts. While antivirus systems always strive to detect and stop malware, malware creators seem to be one step ahead. This results in new malware constantly being deployed using new methods to hide itself from antivirus systems. In my research I found numerous methods currently being used and I will discuss the top few that has consistently come up.
One of the major ways that malware attempts to hide itself is through the method of self-encryption. This takes place when a virus will be delivered while it encrypted so that antivirus systems cannot detect what it does through scanning as well as hiding any signature detection. Typically, this type of malware will also either include its key within the actual program or it will be encrypted with a weak key, such as a single character that can quickly be broken in order to unlock and execute the malicious code. This method can still be detected by antivirus systems during runtime but it still will occasionally buy enough time from the antivirus to complete its objective.
Another method that malware has heavily implemented is polymorphic viruses. This is a method that is typically implemented with viruses that self replicate and attempt to affect other machines beyond the that was initially infected. This method of obfuscation is performed by implementing a piece of code that will replicate virus while changing small portions that still implement the same functions. This will allow the malware to appear to be different from the originally virus and will therefore have a different signature as well that will make it harder to detect by antivirus systems. The existence and implementation of polymorphic malware has contributed to and encouraged antivirus systems to implement heuristic-based detection. In a similar method to polymorphic obfuscation, some malware will make attempts to hide itself by modifying its own code. This self modifying code can be used at various levels from modifying itself at the memory level when in execution to modify the compiled code in an attempt to change it’s own signature.
Another method which malware will use to attempt to hide itself is by only running when executed upon the operating system. This method is used to attempt to avoid running on virtual machines is implemented for two primary reasons. The first is that it attempts to hide from antivirus systems that would sandbox it. This way when it detects that it within a virtual machine it will stop execution so the antivirus system does not believe that it performing any malicious operation. The second reason is that it makes it difficult to be run through a debugger which makes reverse engineering much more difficult. This added difficulty makes it harder for a malware analyst to determine the purpose of the malware. The method of determining how malware determines if it is with a virtual machine varies, but can attempt methods such as checking drivers, ports, available hardware, or operating system registries.
Another method that malware creator will use to hide malware from antivirus systems is hiding code within other files. One popular method for this is by implementing malware within Microsoft word documents. This malware is hidden within macros of the word document, and would typically be written in visual basic. The macros are setup to automatically run upon the document being opened, and execute what payload has been set up. This method of malware distribution and hiding has become more popular because transferring a word document is typically easier than transferring an executable file.
No comments:
Post a Comment