September 11, 2012

Malware architectures – part 6 (Obfuscation)

Now that the malware has made itself home to the targeted computer system, its time to hide its tracks and build up its defenses to being removed.

The previous stages were very messy in terms of activity. Files were left all over the system, processes have been tampered with, settings were changed and other activities necessary for the malware to get to this stage.

In no particular order the following activities are seen in the observed malware.

  • Removal of all control files, their purpose is done and would be caught by an antivirus scan so they are deleted.
  • Any processes that were infected/injected or pivoted off of are either terminated, restarted or otherwise wiped of the temporary changes made to them.
    • Sometimes the malware will popup fake error windows or cause the operating system to create error windows to tell the user the application had a problem and needs to restart. This is effective if the applications that were infected/injected are known to crash and would not alert the user to a problem.
    • Sometimes the processes are left in place, assuming the user will close them soon. examples include browsers, media players, games, etc…
  • Any persistent files, infected system/application files, processes, services, tasks are “fixed” to avoid detection.
    • Infected files are padded with characters to make its signature match the original.
    • If padding would change the file’s size, the file is split into two pieces, the “original” is replaced with a shell file that contains the malware and a jump or call to the  actual original file. The shell file is padded to exactly match the size and signature of the original that is now located somewhere else and possibly renamed.
    • Time stamps and other metadata are cleaned to match the original.
    • Services and tasks are given names that would avoid suspicion, often using social engineering practices to prevent removal (i.e. This service is required for network communications, disabling it will cause system instability and loss of network access.)
  • Creation of encrypted or hidden folders, partitions or other areas to hide the malware from scans or searches.
    • Rootkit and Bootkit malware types normally employ some type of encrypted container, usually placed in unused or “bad” parts of the storage used by the computer. These containers cannot be read except by the malware (or reverse engineer that has the encryption/decryption function and keys 🙂 ).
    • Alternate data streams placed on innocuous folders hiding in plain sight so to speak, these are rarely used today but were common in previous years.
    • Using the operating system’s own hidden folders which are rarely scanned, examples include recycle bin metadata folders, prefetch/dllcache folders, etc…

Once the mess is cleaned up the malware will begin its intended purpose with little stopping it from removal, leading to the next stage, Propagation.