Rootkits may be getting most of the attention within the security community. But it’s important not to overlook other, equally effective antiforensic techniques that malware writers have at their disposal for hiding their code from detection, according to a security researcher at the Black Hat 2007 conference.
Nick Harbour, a senior consultant at Alexandria, Va.-based security vendor Mandiant, outlined a few of those techniques during a presentation at the show. None of the methods are especially new, but they have been only scarcely documented.
One of the ways in which malware writers can hide their code from forensic discovery is via a method known as process injection. The technique involves the injection of malicious code into another legitimate running process on an end user’s system, Harbour said in an interview.
There are several methods of process injection available to hackers. The technique allows them to conceal the source of the malicious behaviour in a computer. The technique can be used to bypass firewalls on client devices and other security defences, because the process that has been injected with the malicious code would appear largely normal, he said.
Similarly, “a cleverly named process is often enough to fly beneath the radar and avoid immediate detection,” Harbor said in his presentation. The idea is to inject a malicious process in a system and hide its presence by using slight variations on commonly running processes; the Svchost.exe and spoolsv.exe processes make the best targets because there are usually several of them running in memory. “One more will often go unnoticed,” he said in his presentation.
Another approach that malware writers can use is to execute malicious code directly from memory on the compromised system. Doing this greatly enhances its stealth because it means the code never has to reside on the hard drive where it might be detected, Harbour said.
The first exploit demonstrating the technique dates back to 2000 and was Windows-specific, Harbour said in a white paper accompanying the presentation. The technique involved launching a process in a suspended state and then overwriting it with malicious code.
For instance, an attacker could launch notepad.exe in a suspended state and then overwrite it with sol.exe, causing a game of Solitaire to be presented to the user even though views in the task bar would make it appear that notepad was running, he said.
Such techniques are simpler to use and more commonly available than rootkits and therefore present a more imminent threat to companies, Harbour said.