Rootkits may be getting most of the attention within the security community. But it’s important not to overlook other, equally effective antiforensic techniques that malware writers have at their disposal for hiding their code from detection, according to a security researcher at the Black Hat 2007 conference.
Nick Harbour, a senior consultant at Alexandria, Va.-based security vendor Mandiant, outlined a few of those techniques during a presentation at the show. None of the methods are especially new, but they have been only scarcely documented.
One of the ways in which malware writers can hide their code from forensic discovery is via a method known as process injection. The technique involves the injection of malicious code into another legitimate running process on an end user’s system, Harbour said, speaking with Computerworld after his presentation.
There are several methods of process injection available to hackers. The technique allows them to conceal the source of the malicious behavior in a computer. The technique can be used to bypass firewalls on client devices and other security defenses, because the process that has been injected with the malicious code would appear largely normal, he said.
Similarly, “a cleverly named process is often enough to fly beneath the radar and avoid immediate detection,” Harbor said in his presentation. The idea is to inject a malicious process in a system and hide its presence by using slight variations on commonly running processes; the Svchost.exe and spoolsv.exe processes make the best targets because there are usually several of them running in memory. “One more will often go unnoticed,” he said in his presentation.
Black Hat 2007, BlackHat 2007, Security, Events, Conference, SEcurity conference, Malwares, Antiforensic, Techniques, Rootkits