Last Updated: 2009-09-25 19:37:07 UTC
by Lenny Zeltser (Version: 3)
When examining malicious software, the analyst looks for several categories of traits that malware often possess. Keeping these categories in mind during the reverse-engineering process helps avoid gaps in coverage, leading to a comprehensive report about the specimen's characteristics:
- Propagation: How does the specimen spread? Malware may spread using networks and mobile media. It may exploit vulnerabilities in server or client-side software. It may have an element of social engineering, and may be loaded by the intruder manually. Propagation may be autonomous (as is the case with many worms) and may require user involvement (such as launching an email attachment).
- Infection: How does the specimen embed itself in the system? Malware may run once, or may remain on the system via auto-run features. Run-once specimens may store themselves solely in memory. Malware may be packed, or may assemble itself dynamically by downloading additional components. Malware may attach itself to benign programs, or may function as a standalone process. Specimens also differ in the degree to which they resist disinfection attempts.
- Self-Defense: How does malware conceal its presence and resist analysis? Malware may attempt to avoid signature-based detection by changing itself. It may time its actions to take place during busy time periods or to occur slowly, so that they don't stand out. It may embed itself within existing processes or network streams, modify OS functionality, and take other creative measures to decrease the chances that its presence will be discovered. Malware may include anti-reversing capabilities, perhaps by using a packer that encrypts the original executable, decrypting it at runtime.
- Capabilities: What "business purpose" does the specimen serve? Malicious software may be designed to collect data, perhaps by sniffing the network, recording keystrokes and screenshots, and locating sensitive files. Malware may also be programmed to wreck havoc on the system, perhaps by deleting or corrupting data, or to act as a pivoting point for attacking other systems. It may also provide the attacker with remote access to the system via a backdoor.
There are several additional categories of traits to consider. These may be considered a subset of the "capabilities" category. However, because modern malware often exhibits these characteristics, it makes sense to call them out separately:
- Exfiltration: How, if at all, does the specimen transmit data out of the affected environment? Malicious software may send captured data over the network using clear-text and encrypted channels, and may rely on ICMP, HTTP, SMTP, and many other standard and custom protocols. Malware may also store data locally, waiting for the attacker manually copy it off the infected system.
- Command and Control: How, if at all, does the specimen receive updates and instructions? Malicious software may receive commands from the attacker by opening a local network port or by making outbound connections to the attacker's system using protocols such as DNS, HTTP, SMTP, or other client-server and peer-to-peer protocols. Malicious executables often have the ability to upgrade themselves according to a predefined schedule or via the attacker’s request.
Update 1: Andrew Brandt from Webroot wrote to us, recommending another category of traits: Post-Operation behavior. He wrote, "For instance, many Trojans drop or download a payload, execute it, and then self-delete. How does that self-deletion happen? Does it drop a batch file or execute a shell command? Does the file remain memory resident or does it terminate after adding a Scheduled Tasks .job file, so it "wakes up" periodically to ensure the payload is still installed. Sometimes the fact that a Trojan self-deletes is the only observed behavior, because that Trojan may have a narrow time window during which it is coded to execute, and outside of that time window the Trojan fails to execute."
Update 2: The category that's now called "Self-Defense" was originally called "Stealth." I changed the name and expanded it to mention anti-reversing capabilities, base on feedback from an anonymous ISC reader.
Are any common malware characteristics missing from the groupings above? If so, please let us know.
Liked this? Post it to Twitter!
Lenny Zeltser - Security Consulting