Common Malware Behavior


As malware threats continue to grow in both sophistication and frequency, it is increasingly critical for information security professionals to develop effective mitigation and reverse-engineering techniques. A good starting point is identifying and understanding key behaviors common to modern malware intrusions. This also helps ensure that IT defense teams and engineers have the knowledge necessary to dissect, block and undo malware.

Beginning with downloaders and backdoors, this article breaks down a number of behaviors that indicate the potential presence of malware. Learn not just the “whats” but the “whys” in the essential section on the objectives of network analysis and get familiar with some reversing techniques for common attack vectors such as credential stealers, keyloggers and more.

Let’s jump in, shall we?

Key behaviors of various types of malware

Downloaders and backdoors

During a malware attack, the threat actor will often use a range of Trojans to infiltrate a vulnerable system. The infiltration is followed by the creation of a downloader or backdoor that allows the attacker to gain remote access over the targeted system. 

Reversing these applications requires analyzing how downloaders and backdoors run in a sandbox environment as well as understand their processes, registries, network activities and file systems. The reverse engineer will also use a debugger and a disassembler, which could be supported by a decompiler and a range of helpful tools.

Credentials stealers

Credentials stealers are a type of malware that searches for passwords saved on a target machine and transfers them remotely to an attacker (using HTTP, email). Malware authors typically use software that waits for users to log in. Other common techniques involve the use of programs that log keystrokes and tools that dump credentials stored in Windows, like password hashes, for offline cracking. 

Process injection

This is a malware attack (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: