Malware

Hunting for malware

Hunting for malware can be a difficult task

Malware actively tries to remain undetected and avoid deletion

To achieve its goals, malware needs to take certain actions:

Establishing persistence
Avoiding antivirus

Malware can also be detected by testing against known-good baseline configurations

Types

Many different types of malware exist

Named for purpose or how they accomplish it

Common types include:

Backdoors
Credential stealers
Cryptojackers
Fileless malware
Point of Sale (PoS) malware
Ransomware
Rootkits
Worms

Persistence mechanisms

Malware needs a way to ensure that it will be run again after being killed or a computer restart

Common persistence mechanisms include:

AutoStart locations in the registry
Scheduled tasks/cronjobs
Boot process redirection

Persistence mechanisms can also be used to lower a malware's visibility

Only performing malicious actions sometime after installation to complicate the correlation of events

Antivirus evasion

Malware can evade antivirus in a variety of different ways

Most AVs scan files on the disk for known signatures

Some malware checks the current process list for known AVs and either sleeps or attempts to kill them if one is running

Fileless malware avoids antivirus detection by only running in memory, never saving a file to disk

Antivirus logs

You can string-search endpoint security AV logs for known-bad values

Examples of strings to look for:

Known webshells filenames
Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)
AV "street names" you are concerned about
PAcked executables (this information needs to be logged)
Known hacking tools (credential dumpers, scanners, etc)
Strings like "dropper"

Baselines

Comparing memory dumps and registry dumps to known-good baselines may reveal deviations that result from malware activity

Volatility plugins can be used:

stalker
profiler
regcomp
hunter

This works best tracked over time, rather than a one-time comparison

Detection and analysis tools

Good starting points for detection include antivirus, IDS and IPS systems

Tools designed for analysis of the registry, processes, system files, etc are also valuable

Once potential malware has been identified, tool choice depends on the desired level of analysis

VirusTotal is a great tool for hish-level analysis and threat identification
For more in-depth analysis, a variety of tools exist:
- Disassemblers: IDA Pro, radare2
- Debuggers: Ollydbg, gdb and Windbg
- Sandboxes: Cuckoo Sandbox and Joe Sandbox

PreviousHost-based threats NextHunting for irregular processes

Last updated 1 year ago

hashtagHunting for malware

hashtagHunting for malware can be a difficult task

hashtagTypes

hashtagMany different types of malware exist

hashtagCommon types include:

hashtagPersistence mechanisms

hashtagMalware needs a way to ensure that it will be run again after being killed or a computer restart

hashtagCommon persistence mechanisms include:

hashtagAntivirus evasion

hashtagMalware can evade antivirus in a variety of different ways

hashtagAntivirus logs

hashtagExamples of strings to look for:

hashtagBaselines

hashtagVolatility plugins can be used:

hashtagDetection and analysis tools

hashtagGood starting points for detection include antivirus, IDS and IPS systems

hashtagOnce potential malware has been identified, tool choice depends on the desired level of analysis