Malware

Hunting for malware

Hunting for malware can be a difficult task

  • Malware actively tries to remain undetected and avoid deletion

To achieve its goals, malware needs to take certain actions:

  • Establishing persistence

  • Avoiding antivirus

Malware can also be detected by testing against known-good baseline configurations

Types

Many different types of malware exist

  • Named for purpose or how they accomplish it

Common types include:

  • Backdoors

  • Credential stealers

  • Cryptojackers

  • Fileless malware

  • Point of Sale (PoS) malware

  • Ransomware

  • Rootkits

  • Worms

Persistence mechanisms

Malware needs a way to ensure that it will be run again after being killed or a computer restart

Common persistence mechanisms include:

  • AutoStart locations in the registry

  • Scheduled tasks/cronjobs

  • Boot process redirection

Persistence mechanisms can also be used to lower a malware's visibility

  • Only performing malicious actions sometime after installation to complicate the correlation of events

Antivirus evasion

Malware can evade antivirus in a variety of different ways

  • Most AVs scan files on the disk for known signatures

Some malware checks the current process list for known AVs and either sleeps or attempts to kill them if one is running

Fileless malware avoids antivirus detection by only running in memory, never saving a file to disk

Antivirus logs

You can string-search endpoint security AV logs for known-bad values

Examples of strings to look for:

  • Known webshells filenames

  • Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)

  • AV "street names" you are concerned about

  • PAcked executables (this information needs to be logged)

  • Known hacking tools (credential dumpers, scanners, etc)

  • Strings like "dropper"

Baselines

Comparing memory dumps and registry dumps to known-good baselines may reveal deviations that result from malware activity

Volatility plugins can be used:

  • stalker

  • profiler

  • regcomp

  • hunter

This works best tracked over time, rather than a one-time comparison

Detection and analysis tools

Good starting points for detection include antivirus, IDS and IPS systems

  • Tools designed for analysis of the registry, processes, system files, etc are also valuable

Once potential malware has been identified, tool choice depends on the desired level of analysis

  • VirusTotal is a great tool for hish-level analysis and threat identification

  • For more in-depth analysis, a variety of tools exist:

    • Disassemblers: IDA Pro, radare2

    • Debuggers: Ollydbg, gdb and Windbg

    • Sandboxes: Cuckoo Sandbox and Joe Sandbox

PreviousHost-based threatsNextHunting for irregular processes

Last updated