{"id":160,"date":"2021-10-13T11:29:52","date_gmt":"2021-10-13T10:29:52","guid":{"rendered":"http:\/\/localhost\/wordpress\/?p=160"},"modified":"2022-03-13T23:05:07","modified_gmt":"2022-03-13T23:05:07","slug":"how-malware-misbehaves-how-to-punish-it","status":"publish","type":"post","link":"http:\/\/localhost\/wordpress\/2021\/10\/13\/how-malware-misbehaves-how-to-punish-it\/","title":{"rendered":"How malware misbehaves &#038; how to punish it"},"content":{"rendered":"\n<div class=\"wp-block-cover\"><span aria-hidden=\"true\" class=\"has-background-dim-60 wp-block-cover__gradient-background has-background-dim\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1924\" class=\"wp-block-cover__image-background wp-image-161\" alt=\"\" src=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-scaled.jpg\" style=\"object-position:28% 20%\" data-object-fit=\"cover\" data-object-position=\"28% 20%\" srcset=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-scaled.jpg 2560w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-300x226.jpg 300w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-1024x770.jpg 1024w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-768x577.jpg 768w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-1536x1155.jpg 1536w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-2048x1540.jpg 2048w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-440x330.jpg 440w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/michael-dziedzic-0W4XLGITrHg-unsplash-920x690.jpg 920w\" sizes=\"(max-width: 2560px) 100vw, 2560px\" \/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-red-color has-text-color has-normal-font-size\"><code><strong>let's play a game of cat and mouse<\/strong><\/code><\/p>\n<\/div><\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center\">In this world of ever evolving <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Malware\" data-type=\"URL\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/Malware\" target=\"_blank\">malware<\/a>, its <strong>behavior<\/strong> and the <strong>methods used to fight<\/strong> against it become <strong>essential knowledge<\/strong> for anyone involved in the IT industry. This article aims to shine a light on the aspects stated above, in order to help computer users stay safe and to stimulate the development of <strong>better<\/strong> <strong>security solutions<\/strong>. <\/p>\n\n\n\n<p><em>Shall we ?<\/em> . . .<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">I.<\/mark> OS <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">processes<\/mark>: why are they so important?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>when a file is executed, it becomes a process among the other already existing ones<\/li><li>processes have loaded modules (DLLs) and threads<\/li><li>each process can write into the virtual memory of another process (<span style=\"color:#149414\" class=\"has-inline-color\">code injection<\/span>)<\/li><li>many malicious entities use clean processes (e.g. cmd.exe, regedit.exe, explorer.exe) to execute their<span style=\"color:#149414\" class=\"has-inline-color\"> payloads<\/span> <\/li><li>they are directly used by the malware detection solutions<\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">II.<\/mark> Which are the malware <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">detection<\/mark> methods?<\/p>\n\n\n\n<div class=\"wp-block-image wp-duotone-000000-ffffff-1\"><figure class=\"alignleft size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/proactivity-edited.png\" alt=\"\" class=\"wp-image-166\" width=\"1069\" height=\"234\" srcset=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/proactivity-edited.png 1254w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/proactivity-edited-300x66.png 300w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/proactivity-edited-1024x225.png 1024w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/proactivity-edited-768x168.png 768w\" sizes=\"(max-width: 1069px) 100vw, 1069px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:8px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<ul class=\"wp-block-list\"><li>source detection and static detection are usually considered deprecated because they need a training set of already known malware =&gt; problems in detecting samples with novel behavior \/ might misclassify them<\/li><li>static analysis may be easily evaded through code obfuscation or by encrypting the executable file<\/li><li>emulation detection refers to the complete execution of the sample in a controlled environment (to monitor and record actions) =&gt; unsuitable for <span style=\"color:#149414\" class=\"has-inline-color\">real-time protection<\/span>.<\/li><li>some malware samples are able to detect they are executed in a controlled environment, so they alter their actions to appear harmless or manifest decoy behavior =&gt; emulation is susceptible to<span style=\"color:#149414\" class=\"has-inline-color\"> evasion<\/span><\/li><li>security solutions should be both <span style=\"color:#149414\" class=\"has-inline-color\">proactive<\/span> (prevent malware incidents) and <span style=\"color:#149414\" class=\"has-inline-color\">reactive<\/span> (detection for new malicious behavior can be added ASAP)<\/li><\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:280px\">\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">=&gt; focus on <span style=\"color:#149414\" class=\"has-inline-color\">dynamic detection<\/span> &#8211; i.e.  monitor the behavior \/ actions of processes dynamically, at run-time<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">III.<\/mark> Which are the <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">challenges<\/mark> and <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">goals<\/mark> of solutions based on dynamic detection?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>a single action performed by a process is usually insufficient to distinguish between malware and legit applications<\/li><li>advanced malware can avoid detection by separating malicious actions into<span style=\"color:#149414\" class=\"has-inline-color\"> multiple processes<\/span> through process creation or code injection =&gt; necessity to monitor malicious groups of processes at once instead of individual ones.<\/li><li>system<span style=\"color:#149414\" class=\"has-inline-color\"> remediation<\/span> after detection: find which process created \/ handled the malicious files, check if those files were executed, if the process compromised other processes, or if any registry changes were made =&gt; in the end, everything should be reverted <\/li><li>definitive <strong><span style=\"color:#149414\" class=\"has-inline-color\">goal<\/span><\/strong>: classify processes as <strong>clean<\/strong> (Negative) or <strong>infected<\/strong> (Positive). The result can be:<ul><li><span style=\"color:#149414\" class=\"has-inline-color\">True Positive<\/span> (<span style=\"color:#149414\" class=\"has-inline-color\">TP<\/span>) &#8211; the entity was correctly classified as malicious<\/li><li><span style=\"color:#149414\" class=\"has-inline-color\">True Negative<\/span> (<span style=\"color:#149414\" class=\"has-inline-color\">TN<\/span>) &#8211; the entity was correctly classified as clean<\/li><li><span class=\"has-inline-color has-red-color\">False Positive<\/span> (<span class=\"has-inline-color has-red-color\">FP<\/span>) &#8211; the entity was erroneously identified as malicious (false alarm)<\/li><li><span class=\"has-inline-color has-red-color\">False Negative<\/span> (<span class=\"has-inline-color has-red-color\">FN<\/span>) &#8211; the entity was erroneously identified as clean <\/li><\/ul><\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">IV.<\/mark> But what do we need for <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">dynamic<\/mark> detection?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">heuristics<\/mark> &#8211; each heuristic is an algorithm (function) that analyzes the actions intercepted through monitoring; in case of any peculiar action identified, the heuristic triggers an alert which is passed to an evaluation engine<\/li><li><mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">interception mechanisms<\/mark> of the OS (for file system, processes, API etc., which entail complex components &#8211; drivers, DLLs) that provide the actions to the heuristics &#8211; we&#8217;ll focus on Windows here, as this is the most targeted OS<\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">V.<\/mark> Which are the <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">interception<\/mark> (filtering) mechanisms of the Windows OS? <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">File System Filtering<\/span><\/strong> &#8211; uses file system drivers, kernel-mode components that can monitor \/ modify \/ prevent file system operations. They are of 2 types:<ul><li>Legacy &#8211; problematic, they must handle every type of I\/O operation that a file system driver performs<\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/ifs\/filter-manager-concepts\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/ifs\/filter-manager-concepts\" target=\"_blank\" rel=\"noreferrer noopener\">Minifilter drivers<\/a><\/span><\/strong> &#8211; more reliable, performant and with a simplified development process. They can choose which file system operations to monitor and can register pre-operation and post-operation callback routines that are called by the OS each time the monitored operations are performed.<\/li><\/ul><\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">Process Filtering<\/span><\/strong> &#8211; a <em>minifilter<\/em> driver can also be used to monitor the creation and termination of processes. It can call <em>PsSetCreateProcessNotifyRoutineEx <\/em>API to register a callback routine. Whenever a new process is created, the registered routine is called before the initial thread of the process begins running. The routine can also terminate the process.<\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">Registry Filtering<\/span><\/strong> &#8211; a <em>minifilter<\/em> driver can also be notified whenever an operation that targets the registry is performed by registering a callback routine using the <em>CmRegisterCallbackEx<\/em> API. It is called before and after the registry operation is completed and receives specific info about that operation as parameters. <br>By writing in registry keys like:<br><em>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em> , or<br><em>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em> , <br>the malware ensures that it will run at log-on, gaining persistence. <\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">WIN API Hooking<\/span><\/strong> &#8211; intercept API calls by redirecting their execution to an associated routine, called <em><span style=\"color:#149414\" class=\"has-inline-color\">hook<\/span><\/em>, to analyze \/ extract info about the call (parameters or return value) =&gt; the process calls a hooked API. Methods:<ul><li><strong>Import Address Table (IAT) Hooking<\/strong> &#8211; the destination addresses of the functions that are statically imported by the process are altered so that they point to the hook functions<\/li><li><strong>In-Line Hooking<\/strong> &#8211; alter the instructions of the functions to be intercepted, in memory, at run-time, by changing the first several bytes (to transfer the execution to the associated hook routine). When the routine completes processing, control is transferred back to the original API (change the first several bytes back or invoke a function that contains those bytes &#8211; called Trampoline).<\/li><li><strong>Detours<\/strong> &#8211; the Detours library is provided by Microsoft to intercept functions similar to in-line hooking, by applying code dynamically at run-time. The detour function can be used to replace the hooked function or extend its functionality.<\/li><\/ul><\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">Event Tracing for Windows (ETW)<\/span><\/strong> &#8211; allows the interception of system events generated by the Windows OS in real time. As ETW is a <strong><span style=\"color:#149414\" class=\"has-inline-color\">kernel<\/span>-level feature,<\/strong> it is not susceptible to some type of evasion that affects WIN API Hooking, such as <em>hook removal<\/em>, or <em>direct syscall usage<\/em>. It can also avoid application crashes caused by API hooking.<br><strong>Disadvantage<\/strong>: code injection and other memory manipulation actions cannot be reliably identified without the <em>Microsoft-Windows-Threat-Intelligence<\/em> provider, that was included in Windows 10.<\/li><li><strong><span style=\"color:#87ceeb\" class=\"has-inline-color\">Anti-Malware Scan Interface (AMSI)<\/span><\/strong> &#8211; feature included in Windows 10 that contributes to real-time malware detection. Apps can use it to invoke the security solution available on the system to analyze various objects (files, memory areas, streams, URLs, IPs, etc.). It&#8217;s especially useful in detecting malicious scripts that can be highly obfuscated \/ difficult to detect. The Windows 10 script hosts (<em>PowerShell \/ Windows Script Host \/ JavaScript engine<\/em>) integrate AMSI and invoke scans of the code, which must be and is de-obfuscated right before execution.<\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">VI.<\/mark> Which are the <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">common actions<\/mark> performed by malware?<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-2 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<ul class=\"wp-block-list\"><li>creating a<strong> copy<\/strong> of the original file &#8211; allows the malware to ensure persistence<\/li><li><strong>hiding<\/strong> a file &#8211; ensures the malicious file is less likely to be noticed by the user<\/li><li><strong>injecting code<\/strong> into another process &#8211; allows execution of code in the context of a process that is known to be clean (usually belonging to the OS)<\/li><li><strong>creating startup registry key <\/strong>&#8211; to ensure persistence after system restart<\/li><li><strong>disabling some critical OS functionalities<\/strong> (e.g., updates) or<strong> terminating critical processes<\/strong> &#8211; to keep the OS vulnerable<\/li><\/ul>\n\n\n\n<p class=\"has-small-font-size\"><code>E.g. 2, <span class=\"has-inline-color has-red-color\">backdoor trojan<\/span>: it usually connects to a malicious command and control server, from which it waits further instructions and can execute other payloads.<\/code><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"background-color:#1b0505;flex-basis:33.33%\">\n<p><\/p>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:19px\"><code>E.g. 1, <span class=\"has-inline-color has-red-color\">ransomware<\/span> actions:<\/code><\/p>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:19px\"><code><strong><span class=\"has-inline-color has-red-color\">1.<\/span><\/strong> drop a copy of itself on the  disk<br><strong><span class=\"has-inline-color has-red-color\">2.<\/span><\/strong> launch a copy of itself<br><strong><span class=\"has-inline-color has-red-color\">3.<\/span><\/strong> delete backup (shadow) files<br><strong><span class=\"has-inline-color has-red-color\">4.<\/span><\/strong> inject code into another process <br><strong><span class=\"has-inline-color has-red-color\">5.<\/span><\/strong> enumerate and encrypt files <br><strong><span class=\"has-inline-color has-red-color\">6.<\/span><\/strong> display message to the user to demand ransom for the encrypted data<\/code><\/p>\n<\/div>\n<\/div>\n\n\n\n<p>There are 3 actions, very common in malware, that are especially encountered in <strong>installers<\/strong> &amp; <strong>uninstallers<\/strong> ( =&gt; risk of False Positives): <span style=\"color:#149414\" class=\"has-inline-color\">writing executable files in the System \/ Windows \/ Temporary folders<\/span>, <span style=\"color:#149414\" class=\"has-inline-color\">executing the created files<\/span> and <span style=\"color:#149414\" class=\"has-inline-color\">registering an executable to run at start-up<\/span> =&gt; there&#8217;s a need to distinguish between ordinary executable files and installers\/uninstallers. Legit installers are usually generated by common software installation packages, and can be identified by scanning the file for certain <strong>signatures<\/strong>.<\/p>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">VII.<\/mark> How to smartly <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">evaluate<\/mark> the intercepted actions?<\/p>\n\n\n\n<p>A generic approach is using a <strong><span style=\"color:#149414\" class=\"has-inline-color\"><em>scoring engine<\/em><\/span><\/strong>, which contains heuristics able to detect samples that use various new combinations of malicious actions. A set of predefined features are extracted (from the executable file or based on the actions of the analyzed process). Each feature has an associated <strong><span style=\"color:#149414\" class=\"has-inline-color\">score<\/span><\/strong>, that is used to compute a general score for the sample. If that score exceeds a predefined <span style=\"color:#149414\" class=\"has-inline-color\">threshold<\/span>, the sample is either categorized as a certain type of malware or as clean.<\/p>\n\n\n\n<p class=\"has-eighty-black-background-color has-background\">When thinking of complex malware scoring mechanisms, one may believe that the solution can be implemented using <span style=\"color:#149414\" class=\"has-inline-color\">artificial intelligence<\/span> (<span style=\"color:#149414\" class=\"has-inline-color\"><strong>AI<\/strong><\/span>). An AI algorithm performs well enough in face recognition, for example, because human faces do not change their definitory characteristics over time. But <span style=\"color:#149414\" class=\"has-inline-color\">malware evolves at a rapid pace<\/span>, to use the latest features provided by operating systems and programming languages, as well as <span style=\"color:#149414\" class=\"has-inline-color\">to exploit the latest unpatched<\/span> ( <strong><span style=\"color:#e10600\" class=\"has-inline-color\">zero-day<\/span><\/strong> ) <span style=\"color:#149414\" class=\"has-inline-color\">vulnerabilities<\/span>. Therefore, the scoring engine must be easy to understand and maintain, precise, predictable to changes, and needs to be <span style=\"color:#149414\" class=\"has-inline-color\">updated very quickly<\/span>. This is NOT easily achieved with an AI algorithm, where the training is time consuming and the results cannot be anticipated, not to mention the constantly required <strong>re<\/strong>-training. Also, adding a new heuristic may damage the entire scoring mechanism. Furthermore, an <span style=\"color:#149414\" class=\"has-inline-color\">appropriate training set for dynamic malware detection is almost impossible to find<\/span>.<\/p>\n\n\n\n<p>In <span style=\"color:#149414\" class=\"has-inline-color\">practice<\/span>, adapting the scoring engine to a new threat should require writing a couple of heuristics and calibrating the scores and weights only for them. More exactly, when another malware technique appears in the wild, a security researcher needs to test the security solution against samples or <span style=\"color:#149414\" class=\"has-inline-color\">proof of concepts<\/span> (POCs) that exhibit the new behavior. He \/ She may also <span style=\"color:#149414\" class=\"has-inline-color\">manually<\/span> capture the behavior of the processes by simply using a tool like <strong><em><span style=\"color:#149414\" class=\"has-inline-color\"><a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procmon\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procmon\" target=\"_blank\">Process Monitor<\/a><\/span><\/em><\/strong>. If the current detection model does not identify the new malicious technique, it&#8217;s a clear sign that the current model must be extended.<\/p>\n\n\n\n<p>In a broader perspective, such a solution should be integrated in a modern security application, together with other components such as URL blocking, firewall, classic AV signatures, etc.<\/p>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">VIII.<\/mark> Now, which are the <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">smart tricks<\/mark> used to stay under the radar?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>solutions that use <span style=\"color:#149414\" class=\"has-inline-color\">dependency graphs<\/span> constructed from API \/ system calls, may be evaded by replacing a call sequence with its semantic equivalent and\/or inserting redundant calls<\/li><li>instead of executing all the malicious actions in a single process, <strong><span style=\"color:#149414\" class=\"has-inline-color\">distribute<\/span><\/strong> the payload to multiple, distinct processes, to be executed over a long period of time. <span class=\"has-inline-color has-white-color\"> <\/span>Because behavior-based detection cannot identify a process based on a single action (due to the risk of False Positives), multiple individual processes, each performing a smaller set of actions, may go <span style=\"color:#149414\" class=\"has-inline-color\">unnoticed<\/span>.<br><span style=\"color:#149414\" class=\"has-inline-color\">Injecting<\/span> the payload in multiple processes also makes cleanup difficult:  if only one affected process is terminated, the malware is capable of re-instantiating itself from another injected process. <br>The distinct malicious processes (that make up an attack) may <span style=\"color:#149414\" class=\"has-inline-color\">communicate<\/span> using traditional inter-process communication, supported by the OS, or through purposely implemented mechanisms.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Windows<\/strong> <strong>OS<\/strong> <span style=\"color:#149414\" class=\"has-inline-color\">problems that make exploitation easier<\/span>: <ul><li>it does not keep a strict relation between child processes and parent processes =&gt; managing related processes for detection is more difficult, requiring OS specific knowledge<\/li><li>it allows code to be injected in a trivial way and does not provide a synchronous notification when injections occur =&gt; detecting all code injection methods is also considerably hard<\/li><\/ul><\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">IX.<\/mark> How do we <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">combat<\/mark> <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">multi-process<\/mark> malware, though?<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>represent the actions performed by each process as feature vectors, then correlate them with the actions performed by the child processes. Disadvantages: difficult to implement, does not consider code injection when correlating processes.<\/li><li>divide the processes into categories: <em>group creators<\/em> (they create other processes, not necessarily related to them), <em>group inheritors<\/em> and <em>unmonitored processes<\/em>. By <span style=\"color:#149414\" class=\"has-inline-color\">assigning a category \/ role to each process<\/span>, the groups of processes are much easier to identify and manage. The category of a process can be identified based on features like: the file path, the digital signature or a hash computed for the executable file. <\/li><li>as installers can be used as a <span style=\"color:#149414\" class=\"has-inline-color\">spreading mechanism<\/span>, when an installation starts, the solution should create a<strong><em><span style=\"color:#149414\" class=\"has-inline-color\"> process lineage tree<\/span><\/em><\/strong>, in which the root is the initial installer application. When the root or a descendant creates a new process, it should be added to the lineage tree as a child of the process that created it. This way, we can observe better the deepness and the exact activity of that installation, as it happens.<\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">X.<\/mark> How about the <mark style=\"background-color:rgba(0, 0, 0, 0);color:#149414\" class=\"has-inline-color\">advanced cyberattacks &amp; cyberweapons <\/mark><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-medium-gray-color\">detection<\/mark>?&#8230; \ud83d\ude42<\/p>\n\n\n\n<p>Well, as more and more people are being affected by this <span style=\"color:#149414\" class=\"has-inline-color\"><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/National_Security_Agency\" data-type=\"URL\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/National_Security_Agency\" target=\"_blank\">NSA<\/a><\/strong>-level madness<\/span> <strong><span class=\"has-inline-color has-white-color\">(<\/span><\/strong> shouldn&#8217;t come as a surprise, since some of their <em>most<\/em> <em>sophisticated<\/em> tools &amp; exploits were leaked online by <em><strong><a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/The_Shadow_Brokers\" data-type=\"URL\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/The_Shadow_Brokers\" target=\"_blank\">The Shadow Brokers <\/a><\/strong><\/em>&#8211; but that&#8217;s a story for another time <strong><span class=\"has-inline-color has-white-color\">)<\/span><\/strong>, we have to talk about this too.<\/p>\n\n\n\n<p>These attacks are usually orchestrated by <span style=\"color:#149414\" class=\"has-inline-color\">Advanced Persistent Threat (<\/span><span style=\"color:#e10600\" class=\"has-inline-color\">APT<\/span><span style=\"color:#149414\" class=\"has-inline-color\">) actors<\/span> &#8211; highly skilled, motivated and well-funded <em>hackers<\/em>, with ample resources at their disposal (usually nation state sponsored, as now it is much cheaper and effective to <span class=\"has-inline-color has-red-color\">attack<\/span> and <span class=\"has-inline-color has-red-color\">spy<\/span> your enemies in the cyberspace).<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"725\" src=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/activity-actor-ramp-diagram.png\" alt=\"\" class=\"wp-image-220\" srcset=\"http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/activity-actor-ramp-diagram.png 1000w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/activity-actor-ramp-diagram-300x218.png 300w, http:\/\/localhost\/wordpress\/wp-content\/uploads\/2021\/10\/activity-actor-ramp-diagram-768x557.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption>APT actors &amp; their motives \/ targets<br><a rel=\"noreferrer noopener\" href=\"https:\/\/www.secureworks.com\/blog\/advanced-persistent-threats-apt-a\" data-type=\"URL\" data-id=\"https:\/\/www.secureworks.com\/blog\/advanced-persistent-threats-apt-a\" target=\"_blank\">https:\/\/www.secureworks.com\/blog\/advanced-persistent-threats-apt-a<\/a><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>APT attacks are carefully planned and often designed for a specific victim after a significant amount of time is spent researching the target =&gt; challenging to detect<\/li><li>some security researchers <strong>try<\/strong> to combat this by combining the capabilities of the behavioral security solution with the <strong><span style=\"color:#149414\" class=\"has-inline-color\"><a rel=\"noreferrer noopener\" href=\"https:\/\/attack.mitre.org\/\" data-type=\"URL\" data-id=\"https:\/\/attack.mitre.org\/\" target=\"_blank\">MITRE ATT&amp;CK<\/a><\/span><\/strong> knowledge base of <span style=\"color:#149414\" class=\"has-inline-color\">adversary tactics<\/span> <span style=\"color:#149414\" class=\"has-inline-color\">and techniques<\/span>,  which are classified in 14 categories:<\/li><\/ul>\n\n\n\n<ol class=\"has-eighty-black-background-color has-background has-normal-font-size wp-block-list\"><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Reconnaissance<\/span><\/em> - gather critical information to plan future operations<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Resource Development<\/span><\/em> - create\/purchase\/compromise\/steal resources that can be used to support operations<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Initial Access<\/span><\/em> - get into the target network<\/kbd> <\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Execution<\/span> - <\/em>run malicious code<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Persistence<\/span><\/em> - maintain your access<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Privilege Escalation<\/span><\/em> - get higher-level permissions<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Defense Evasion<\/span><\/em> - avoid being detected<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Credential Access<\/span><\/em> - steal account names and passwords<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Discovery<\/span><\/em> - figure out &amp; map the environment you're in<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Lateral Movement<\/span><\/em> - move through the environment<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Collection<\/span><\/em> - gather data of interest to your goal<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Command and Control<\/span><\/em> - communicate with &amp; control compromised systems<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Exfiltration<\/span><\/em> - steal sensitive data<\/kbd><\/li><li><kbd><em><span style=\"color:#149414\" class=\"has-inline-color\">Impact<\/span><\/em> - manipulate and\/or destroy the systems and data<\/kbd><\/li><\/ol>\n\n\n\n<ul class=\"wp-block-list\"><li>these tactics also represent <span style=\"color:#149414\" class=\"has-inline-color\">reasons<\/span> for malware to perform certain actions. Moreover, each category is broken-down into multiple techniques and sub-techniques that indicate how a tactical goal is achieved.<\/li><\/ul>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-large-font-size\"><mark style=\"background-color:rgba(0, 0, 0, 0);color:#901a1a\" class=\"has-inline-color\">Conclusion<\/mark><\/p>\n\n\n\n<p>To wrap up, there are two serious <span style=\"color:#149414\" class=\"has-inline-color\">problems<\/span> that always seem to <strong><span style=\"color:#149414\" class=\"has-inline-color\">haunt<\/span><\/strong> the defense professionals: the <strong><span style=\"color:#149414\" class=\"has-inline-color\">time gap<\/span><\/strong> between the moment a new malware is released, until a behavioral model is available for that malware type (as systems are exposed to attacks), and the<strong> <span style=\"color:#149414\" class=\"has-inline-color\">sophisticated cyberattacks<\/span><\/strong> (<span class=\"has-inline-color has-red-color\">APT<\/span>&#8216;s specialty), which are particularly difficult to detect and they are often discovered when it&#8217;s already <span style=\"color:#149414\" class=\"has-inline-color\">too late<\/span>. Thus, there&#8217;s still an acute need for proactive behavioral detection solutions with fast response capabilities.<\/p>\n\n\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-extra-small-font-size\">Publications used for this article:<br><em>Sushil Kumar et al. An emerging threat fileless malware: a survey and research challenges, 2020<br>Steve Mansfield-Devine. The malware arms race. Computer Fraud &amp; Security, 2018<br>Jaime Devesa, Igor Santos, Xabier Cantero, Yoseba K. Penya, and Pablo Garcia Bringas. Automatic behaviour-based analysis and classification system for malware detection, 2010<br>Romanch Agarwal, Prabhat Kumar Singh, Nitin Jyoti, Harinath Ramachetty Vishwanath, and Palasamudram Ramagopal Prashanth. System and method for non-signature based detection of malicious processes, 2016<br>Ishai Rosenberg and Ehud Gudes. Bypassing system calls based intrusion detection systems, 2017<br>Weiqin Ma, Pu Duan, Sanmin Liu, Guofei Gu, and Jyh-Charn Liu. Shadow attacks: automatically evading system-call-behavior based malware detection, 2012<br>Jithin Pavithran, Milan Patnaik, and Chester Rebeiro. D-time: distributed threadless independent malware execution for runtime obfuscation, 2019<br>Gheorghe Hajmasan, Alexandra Mondoc, and Octavian Cret. Dynamic behavior evaluation for malware detection. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS), Tirgu Mures, 2017<br>Gheorghe Hajmasan, Alexandra Mondoc, Radu Portase, and Octavian Cret. Evasive Malware Detection Using Groups of Processes, 2017<br>Gheorghe Hajmasan, Radu Portase. Systems and methods for tracking malicious behavior across multiple software entities, 2020<br>Sandor Lukacs, Raul Tosa, Paul Boca, Gheorghe Hajmasan, Andrei Lutas. Complex scoring for malware detection, 2016<br>Sandor Lukacs, Raul Tosa, Paul Boca, Gheorghe Hajmasan, Andrei Lutas. Process evaluation for malware detection in virtual machines, 2015<br>Bill Blunden. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2009<\/em><br><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this world of ever evolving malware, its behavior and the methods used to fight against it become essential knowledge<\/p>\n<p><a href=\"http:\/\/localhost\/wordpress\/2021\/10\/13\/how-malware-misbehaves-how-to-punish-it\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\">How malware misbehaves &#038; how to punish it<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[13,14],"class_list":["post-160","post","type-post","status-publish","format-standard","hentry","category-information-security","tag-malware","tag-malwaredetection"],"_links":{"self":[{"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/posts\/160"}],"collection":[{"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/comments?post=160"}],"version-history":[{"count":72,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/posts\/160\/revisions"}],"predecessor-version":[{"id":368,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/posts\/160\/revisions\/368"}],"wp:attachment":[{"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/media?parent=160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/categories?post=160"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/localhost\/wordpress\/wp-json\/wp\/v2\/tags?post=160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}