Source: OST "Malware Reverse Engineering"
Payload Launch Vehicles I. Droppers: Droppers very often copy themselves to another location and behave differently once in their expected location (e.g. C:\Windows\system32). Other possibilities are:
II. Downloaders: Downloads may use a variety of network functions and protocols to retrieve their payloads, and may even use encryption or chunk modification/reordering to fool Intrusion Detection Systems (IDS). Some common Network libraries and functions used are:
III.Injectors: Malicious processes can stick out like a sore thumb. Even the cleverly named processed like scvhost.exe are noticeable to the well trained analyst. DLL Injection is less noticeable, and shellcode injection is even more stealthy, though the calls to perform it may raise alarms as it is unusual behavior. They include:
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |