Where Does Malware Hide?

Written by gigmocha in Uncategorized

Where Does Malware Hide?

Where Does Malware Hide?

The primary purpose of the malware is to remain unnoticed, avoid being identified quickly and shut down by antivirus software or other security tools.

Malware is often hidden behind legitimate processes. The need for hiding depends not only on these factors but also on how long it can stay in the system without being detected/disabled – the longer the malware remains in the system, the more damage it inflicts.

How Malware Hide In A System

File-less malware Techniques

There is no physical binary installed on the system, and all that exists is a script or a memory-resident worm. This malware is hard to detect because they don’t have an obvious file to scan for.

In the past, these scripts would be saved as files on disk so AV could pick them up, but now it’s common for attackers to package the scripts as binaries using tools such as Invoke-PSImage or PowerShell Empire. 

There is no file system activity at all in these cases, and the malware just never gets written out to disk. The tools often use Windows feature Image File Execution Options registry value \Run\Optional Microsoft signed executable\under Microsoft\Windows\CurrentVersion\Group Policy Objects\<GUID> allowing them to run automatically when a signed MS binary gets executed.

However, this is not a foolproof technique and often causes the malware to detect it once it has been executed.

As a result, attackers have started abusing signed binaries instead of scripts or executables. If a binary is successfully signed with a valid certificate, Windows doesn’t care what kind of code is inside it! This allows attackers to abuse legitimate tools such as PowerShell, PsExec and even cmd.exe to perform malicious activity on an infected system! You can see how that might be difficult to spot from an analyst’s perspective – everything looks like it’s been through Microsoft’s security filters.

Modern Malware Hideout

Most modern malware is designed to run in kernel mode. As a result, they’re able to do everything from reading information off the hard drive to intercepting keystrokes before they get sent to other running programs. This gives malware incredible power and stealth. By hiding in the kernel, it’s well hidden from disk-based antivirus software!

Places Where Malware Potentially Hides Themselves

There are three main places to look for malware (or scripts, or exploits), depending on what you’re trying to protect:

The File System

This is where typical files are stored. Located on all disks, but not every disk has the same level of importance. Local disk C, network storage, USB stick… Malicious activity can be hidden in any of these places.

In Memory

Malware may hide inside a running process or even in memory outside of a process. In both cases, it can be challenging to find since it is not stored on a disk.

On The Kernel

Malware may modify core parts of the operating system to hide from antivirus software that looks for malicious activity by scanning disk drives. This is typically done with rootkits or bootkits.

How One Can Fetch Hidden Malware In A System

There are tools available that can be used to detect hidden malware.

Snowman

This tool searches explicitly for opcode (known malicious code patterns) in memory and the swap file. It will give you an idea of what’s running, but it won’t find anything that isn’t already known about by the signatures included with the tool. It will also require multiple process monitor tools such as procexp or systems internals since malware can hide from one tool but still show up on another.

File System Hunt

Using more advanced techniques slightly and working directly on a disk (no need to dump RAM), we can look for signs of suspicious activity using strings and grep. This technique shouldn’t be used alone and is not a replacement for tools such as anti-virus software.

Anti Virus Software

Antivirus software is not the silver bullet to prevent malware detection on server rooms. All of these tools are fundamentally looking for known-bad patterns on disk or in memory. 

Since most modern malware hides from file-based anti-virus software by running in kernel mode, tools such as AV can become blind to new risks. This can cause an organization to miss out on identifying new threats that happen to be missed by traditional anti-virus systems!

Removal Of Hidden Malware 

File System

Most file systems can’t quickly check for hidden files. As a result, you’ll need to boot the system using an external device such as a cd. You can then run software such as strings or grep against all disks to find anything suspicious that might be hiding within memory or on disk.

Kernel

Since the kernel is a crucial part of an operating system, it can’t be simply replaced. As a result, the only way to remove malware from this location is by reinstalling the entire operating system. This isn’t always a feasible solution for most businesses, but it’s the only authentic way of removing malware from this location!

Memory

You’ll want to use a tool to dump all physical memory from the system to find suspicious activity stored within it. This is difficult since the location of the page file constantly changes. The good news is that once you reboot the system, any malware hidden in this way will be gone!

Conclusion

The three main places malware can hide in the computer’s memory, kernel, or file system. It is essential to get the malware out as soon as you can. The longer the time it stays there, the more dangerous it will be for your device.

Recent Posts