Malware analysis

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

Malware techniques

Process hollowing

Process hollowing is yet another tool in the kit of those who seek to hide the presence of a process. The idea is rather straight forward: a bootstrap application creates a seemingly innocent process in a suspended state. The legitimate image is then unmapped and replaced with the image that is to be hidden. If the preferred image base of the new image does not match that of the old image, the new image must be rebased. Once the new image is loaded in memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed.

See Also

• Malware

External Links

• Executable File Analysis (Windows Forensic Analysis) Part 1
• Executable File Analysis (Windows Forensic Analysis) Part 2
• Executable File Analysis (Windows Forensic Analysis) Part 3
• Executable File Analysis (Windows Forensic Analysis) Part 4
• Exploiting the Microsoft Windows TaskScheduler‘.job’StackOverflowVulnerability, by Kevin Wenchel, May 2004
• De Mysteriis Dom Jobsivs: Mac EFI Rootkits, by Snare, October 2012
• Detecting Malware With Memory Forensics, by Hal Pomeranz
• Mac OS X Live Forensics 107: Mac Malware, by Action Dan, November 3, 2014
• The not so boring land of Borland executables, part 1, Hexacorn blog, December 5, 2014
• The not so boring land of Borland executables, part 2, Hexacorn blog, December 18, 2014
• Ghosts in the endpoint by Daniel Regalado, Erye Hernandez, Taha Karim, Varun Jain, April 13, 2016

Analysis techniques and tools

Remnux

• Dynamic malware analysis with Remnux v5 – part 1, by Luis Rocha, January 13, 2015
• Dynamic malware analysis with Remnux v5 – part 1, by Luis Rocha, January 21, 2015

Malware techniques

• Windows Kernel Exploitation Humla, by Ashfaq Ansari, May 7, 2015

Code injection

• PowerLoaderEx - Advanced Code Injection Technique for x32 / x64

Process hollowing

• Windows Process Injection - Process Hollowing, by Marc Ochsenmeier, July 06, 2021

WMI

• SprayWMI is an easy way to get mass shells on systems that support WMI

Malware analysis

• Malware don't need Coffee

APT28

• Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack, by Fireeye Labs, April 18, 2015

Black POS

• Point-of-Sale System Breaches, by Trend Micro
• New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts, by Rhena Inocencio, August 29, 2014

Careto

• Unveiling "Careto" - The Masked APT, by Kaspersky Lab, February 2014

China Chopper

• Breaking Down the China Chopper Web Shell – Part I, by Tony Lee, Ian Ahl and Dennis Hanzlik, August 7, 2013
• Breaking Down the China Chopper Web Shell – Part 2, by Tony Lee, Ian Ahl and Dennis Hanzlik, August 9, 2013

Dark Hotel

• The Darkhotel APT, by Kaspersky Lab Research, November, 2014

Equation group

• How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last, by Dan Goodin, Feb 16, 2015

Hacking Team

• Police Story: Hacking Team’s Government Surveillance Malware, by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
• HackingTeam 2.0: The Story Goes Mobile, Kaspersky Lab, June 24, 2014
• Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love, by fG!, June 26 2014

Hikit

• The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 1), by Ryan Kazanciyan, August 20, 2012
• The "Hikit" Rootkit: Advanced and Persistent Attack Techniques (Part 2), by Christopher Glyer, August 22, 2012

Icefog

• The ‘icefog’ APT: A tale of cloak and three daggers, by Kaspersky Lab, September 2013

Kriptovor

• Analysis of KRIPTOVOR: Infostealer+Ransomware, by Erye Hernandez, April 08, 2015

LeoUncia, OrcaRat

• LeoUncia and OrcaRat, by Jérémy Richard, October 24, 2014

PlugX

• I Know You Want Me - Unplugging PlugX, by Takahiro Haruyama and Hiroshi Suzuki, BlackHat Asia 2014

Regin

• Malware Instrumentation Application to Regin Analysis, by tecamac, May 27, 2015

Riptide, Hightide, Threebyte, Watersprout

• Illuminating the Etumbot APT Backdoor, by Arbor Networks, June 6, 2014
• Darwin’s Favorite APT Group, by Ned Moran, Mike Oppenheim, Sarah Engle and Richard Wartell, September 3, 2014

Rombertik

• Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors, by Talos Group, May 4, 2015

Sednit

• Sednit espionage group now using custom exploit kit, by ESET research, October 8, 2014

Uroburos

• Uroburos - Highly complex espionage software with Russian roots, by G Data SecurityLabs, February 2014
• Uroburos: the snake rootkit, by deresz, tecamac, March 12, 2014
• Uroburos Rootkit Hook Analysis and Driver Extraction, SP Security Blog, March 20, 2014

Winnti

• "Winnti" More than just a game, by Kaspersky Lab, April 2013

Wiper

• Wiper family of malware targeting Sony Pictures grows, by Rommel Ramos, December 10, 2014

WireLurker

• WIRELURKER: A New Era in iOS and OS X Malware, by Palo Alto Networks