Component of Malware

Hi Everyone,

I would like to share knowledge about the basic malware component. As we know that malware application is just like another normal application developed by following the best practice of the software development.

Common malware is built from some component that has purpose during the malware attack.

Payload

The payload is where the core of the code that does the objective of the malware infection in the host. Most of the malware developer put their efforts on developing this code section since the success of the attack depends on this quality of code.

Packer

Packer is like eggshells that encapsulate the payload. Why payload need to be encapsulated? the answer is to hide the malicious code from the detection of anti malware application. Packer will actually compress and obfuscate the payload so that anti malware application will fail to detect the malware with static and signature based analyses. The real payload will be unpacked by the malware with defined algorithm made by the developer. There are many algorithm in the wild that can be used to pack the payload

Persistence

The malware that has infected the host will always to try to persist their presence in the host even after the machine rebooted or user logoff. There are many ways that malware will tamper in order to persist such as using the registry autorun

Path to start up folder

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Startup

Registry Path for start up

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Registry RUN

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Communication

Malware that infect the host will usually build connection back to the malware creator (C2, CnC, C2C) this connection is intended for many things one of them is to exfiltrate the data from the machine back to the malware creator or to retrieve new command to do next action. Usually they will use encrypted channel such as SSH, SSL, TOR to hide their communication from the network detection

Propagation

Beside infecting one host and get the highest privilege in the host, The malware would also intents to spread to some other machine in order to gather more foothold in the network. It could use vulnerability that is found in the system or network and exploit it to copy itself to the other host.

Armoring

The malware creator will try to defend its code from the detection of antimalware software such as antivirus, EDR, Sanbox and many other product. Usually when the malware is run in a machine and it find that there are antimalware present in its environment then it will exhibit a benign activities to avoid detection. It also would detect the present of malware analysis tools such as debuger, IDA, Procmon, Process Hacker and many other tools.

Stealth

The malware will need to hide its presence in the host or infected machine to avoid from the detection of plain sight or event anti malware software. Stealth mechanisms can range
from simple techniques like altering file properties that make it hidden to more complex
techniques like infecting other clean programs on the system, code injection, process
hollowing, and rootkits

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s