Hunting for irregular processes

One of the most common ways that malware tries to avoid detection is by pretending to be instances of a legitimate process

• Typically, a critical process on the host like svchost.exe on Windows

These can be detected in several different ways:

• Identifying processes with names similar to known processes

• Checking the installation directory of processes

• Checking the process hierarchy for irregularities

• Comparing porcesses in-memory and on-disk

Critical process impersonation

Some malware will impersonate legitimate processes by running under a similar name

• scvhost.exe - Malicious

• svchost.exe - Legitimate

One way to detect this malware is to use string similarity algorithms

• Look for strings that are not the same but not very different either

Damerau-Levenshtein distance algorithm:

• A count of the minimum number of single-character insert/delete/modify/transpose operations needed to convert string1 into string2

• The score will be 1 for scvhost.exe to svchost.exe

Unusual executable locations

Some malware runs out of unusual locations (e.g., Recycle Bin) to avoid being easily detected

Other malware deliberately uses location as part of its hijacking efforts

Windows searches directories in a certain order when looking for an executable to run

• If a malware author can put an executable with the same name higher in that list, it may be run instead of the malicious one

Knowing and checking unusual or privileged locations is an important part of hunting for malware