UNIT IV

Malware Functionality
Downloaders and Launchers, Backdoors, Credential Stealers, Persistence
Mechanisms, Handles, Privilege Escalation, Covert malware launching-
Launchers, Process Injection, Process Replacement,Hook Injection,
Detours, APC injection
Downloaders and Launchers
• Two commonly encountered types of malware are downloaders and
launchers.
• Downloaders simply download another piece of malware from the
Internet and execute it on the local system.
• Downloaders commonly use the Windows API URLDownloadtoFileA,
followed by a call to WinExec to download and execute new malware.
• A launcher (also known as a loader) is any executable that installs
malware for immediate or future covert execution.
• Launchers often contain the malware that they are designed to load.
Backdoors
• A backdoor is a type of malware that provides an attacker with remote
access to a victim’s machine.
• Backdoors are the most commonly found type of malware,and they come in
all shapes and sizes with a wide variety of capabilities.
• Backdoors communicate over a common method is over port 80 using the
HTTP protocol.
• HTTP is the most commonly used protocol for outgoing network traffic, so it
offers malware the best chance to blend in with the rest of the traffic.
• Backdoors come with a common set of functionality, such as the ability to
manipulate registry keys, enumerate display windows, create directories,
search files, and so on
Reverse Shell & Netcat Reverse
Shells
• A reverse shell is a connection that originates from an infected machine and
provides attackers shell access to that machine.
• Reverse shells are found as both stand-alone malware and as components of
more sophisticated backdoors.
• Attackers have been known to use Netcat or package Netcat within other
malware.
• When Netcat is used as a reverse shell, the remote machine waits for
incoming connections using the following:
• nc -l –p 80
• The –l option sets Netcat to listening mode, and –p is used to set the port on
which to listen
Windows Reverse Shells
• Attackers employ two simple malware coding implementations for reverse
shells on Windows using cmd.exe: basic and multithreaded.
• The basic method is popular among malware authors, since it’s easier to write
and generally works just as well as the multithreaded technique.
• It involves a call to CreateProcess and the manipulation of the STARTUPINFO
structure that is passed to CreateProcess.
• The multithreaded version of a Windows reverse shell involves the creation of
a socket, two pipes, and two threads (so look for API calls to CreateThread
and CreatePipe).
• This method is sometimes used by malware authors as part of a strategy to
manipulate or encode the data coming in or going out over the socket.
Windows Reverse Shells
• CreatePipe can be used to tie together read and write ends to a pipe,
such as standard input (stdin) and standard output (stdout).
• The CreateProcess method can be used to tie the standard streams to
pipes instead of directly to the sockets.
• After CreateProcess is called, the malware will spawn two threads:
one for reading from the stdin pipe and writing to the socket, and the
other for reading the socket and writing to the stdout pipe.
RATs
• A remote administration tool (RAT) is used to remotely manage a
computer or computers.
• RATs are often used in targeted attacks with specific goals, such as
stealing information or moving laterally across a network.
• The server is running on a victim host implanted with malware. The
client is running remotely as the command and control unit operated
by the attacker.
• The servers beacon to the client to start a connection, and they are
controlled by the client.
• RAT communication is typically over common ports like 80 and 443.
RAT network structure
Botnets
• A botnet is a collection of compromised hosts, known as zombies, that are controlled
by a single entity, usually through the use of a server known as a botnet controller.
• The goal of a botnet is to compromise as many hosts as possible in order to create a
large network of zombies that the botnet uses to spread additional malware or spam,
or perform a distributed denial-of-service (DDoS) attack.
• RATs and Botnets Compared There are a few key differences between botnets and
RATs:
•  Botnets have been known to infect and control millions of hosts. RATs typically
control far fewer hosts.
•  All botnets are controlled at once. RATs are controlled on a per-victim basis because
the attacker is interacting with the host at a much more intimate level.
•  RATs are used in targeted attacks. Botnets are used in mass attacks.
Credential Stealers
• Attackers often go to great lengths to steal credentials, primarily with
three types of malware:
•  Programs that wait for a user to log in in order to steal their
credentials
•  Programs that dump information stored in Windows, such as
password hashes, to be used directly or cracked offline
•  Programs that log keystrokes
GINA Interception
• On Windows XP, Microsoft’s Graphical Identification and Authentication (GINA)
interception is a technique that malware uses to steal user credentials.
• GINA is implemented in a DLL, msgina.dll, and is loaded by the Winlogon
executable during the login process.
• Winlogon also works for thirdparty customizations implemented in DLLs by loading
them in between Winlogon and the GINA DLL (like a man-in-the-middle attack).
• In one instance, we found a malicious file fsgina.dll installed in this registry location
as a GINA interceptor.
• The malware (fsgina.dll) is able to capture all user credentials submitted to the
system for authentication.
• It can log that information to disk or pass it over the network.
Hash Dumping
• Dumping Windows hashes is a popular way for malware to access system
credentials. Attackers try to grab these hashes in order to crack them offline or to
use them in a pass-the-hash attack.
• A pass-the-hash attack uses LM and NTLM hashes to authenticate to a remote
host (using NTLM authentication) without needing to decrypt or crack the hashes
to obtain the plaintext password to log in.
• Pwdump and the Pass-the-Hash (PSH) Toolkit are freely available packages that
provide hash dumping
• Pwdump is a set of programs that outputs the LM and NTLM password hashes of
local user accounts from the Security Account Manager (SAM).
• Pwdump works by performing DLL injection inside the Local Security Authority
Subsystem Service (LSASS) process
Keystroke Logging
• Keylogging is a classic form of credential stealing.
• When keylogging, malware records keystrokes so that an attacker can
observe typed data like usernames and passwords.
• Windows malware uses many forms of keylogging.
• Kernel-Based Keyloggers
• Kernel-based keyloggers are difficult to detect with user-mode
applications.
• They are frequently part of a rootkit and they can act as keyboard
drivers to capture keystrokes, bypassing user-space programs and
protections.
• User-Space Keyloggers
• Windows user-space keyloggers typically use the Windows API and are usually
implemented with either hooking or polling.
• Hooking uses the Windows API to notify the malware each time a key is
pressed, typically with the SetWindowsHookEx function.
• Polling uses the Windows API to constantly poll the state of the keys, typically
using the GetAsyncKeyState and GetForegroundWindow functions.
• Hooking keyloggers leverage the Windows API function SetWindowsHookEx.
• This type of keylogger may come packaged as an executable that initiates the
hook function, and may include a DLL file to handle logging that can be mapped
into many processes on the system automatically.
• Polling keyloggers that use GetAsyncKeyState and
GetForegroundWindow.
• The GetAsyncKeyState function identifies whether a key is pressed or
depressed, and whether the key was pressed after the most recent
call to GetAsyncKeyState.
• The GetForegroundWindow function identifies the foreground
window—the one that has focus—which tells the keylogger which
application is being used for keyboard entry
Persistence Mechanisms
• Once malware gains access to a system, it often looks to be there for a
long time. This behavior is known as persistence.
• If the persistence mechanism is unique enough, it can even serve as a
great way to fingerprint a given piece of malware.
• The Windows Registry:
• Malware to access the registry to store configuration
information,gather information about the system, and install itself
persistently.
• AppInit_DLLs:
• Malware authors can gain persistence for their DLLs though a special registry
location called AppInit_DLL.
• AppInit_DLLs are loaded into every process that loads User32.dll, and a
simple insertion into the registry will make AppInit_DLLs persistent.
• The AppInit_DLLs value is of type REG_SZ and consists of a space-delimited
string of DLLs.
• Most processes load User32.dll, and all of those processes also load the
AppInit_DLLs. Malware authors often target individual processes, but
AppInit_DLLs will be loaded into many processes. The registry key is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
Winlogon Notify
• Malware authors can hook malware to a particular Winlogon event,
such as logon, logoff, startup, shutdown, and lock screen.
• This can even allow the malware to load in safe mode.
• The registry entry consists of the Notify value in the following registry
key:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\
• When winlogon.exe generates an event, Windows checks the Notify
registry key for a DLL that will handle it.
SvcHost DLLs
• Malware is often installed as a Windows service, but typically uses an
executable.
• Installing malware for persistence as an svchost.exe
• DLL makes the malware blend into the process list and the registry better
than a standard service.
• Svchost.exe is a generic host process for services that run from DLLs, and
Windows systems often have many instances of svchost.exe running at once.
• Each instance of svchost.exe contains a group of services that makes
development, testing, and service group management easier.
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceName
Trojanized System Binaries
• Another way that malware gains
persistence is by trojanizing
system binaries.
• With this technique, the
malware patches bytes of a
system binary to force the
system to execute the malware
the next time the infected binary
is run or loaded.
DLL Load-Order Hijacking
• DLL load-order hijacking is a simple, covert technique that allows malware authors
to create persistent, malicious DLLs without the need for a registry entry or
trojanized binary.
• The default search order for loading DLLs on Windows XP is as follows:
• 1. The directory from which the application loaded
• 2. The current directory
• 3. The system directory (the GetSystemDirectory function is used to get the path,
such as …/Windows/System32/)
• 4. The 16-bit system directory (such as …/Windows/System/)
• 5. The Windows directory (the GetWindowsDirectory function is used to get the
path, such as …/Windows/)
• 6. The directories listed in the PATH environment variable
Handles
• Handles are items that have been opened or created in the OS, such as a window,
process, module, menu, file, and so on.
• Handles are like pointers in that they refer to an object or memory location
somewhere else.
• However,unlike pointers, handles cannot be used in arithmetic operations, and they
do not always represent the object’s address.
• The only thing you can do with a handle is store it and use it in a later function call to
refer to the same object.
• The CreateWindowEx function has a simple example of a handle.
• It returns an HWND, which is a handle to a window.
• Whenever you want to do anything with that window, such as call DestroyWindow,
you’ll need to use that handle.
Privilege Escalation
• The malware will usually need to perform a privilege-escalation attack
to gain full access.
• The majority of privilege-escalation attacks are known exploits or
zero-day attacks against the local OS, many of which can be found in
the
• Metasploit Framework (http://www.metasploit.com/). DLL load-order
hijacking can even be used for a privilege escalation.
• If the directory where the malicious DLL is located is writable by the
user, and the process that loads the DLL is run at a higher privilege
level, then the malicious DLL will gain escalated privileges.
Using SeDebugPrivilege
• The SeDebugPrivilege privilege was created as a tool for system-level debugging,
but malware authors exploit it to gain full access to a system-level process.
• By default, SeDebugPrivilege is given only to local administrator accounts, and it
is recognized that granting SeDebugPrivilege to anyone is essentially equivalent to
giving them LocalSystem account access.
• A normal user account cannot give itself SeDebugPrivilege; the request will be
denied.
• the malware calls LookupPrivilegeValueA. which retrieves the locally unique
identifier (LUID).
• The LUID is a structure that represents the specified privilege (in this case,
SeDebugPrivilege).
Covert malware launching
• Launchers
• The goal of a launcher is to set up things so that the malicious behavior is
concealed from a user.
• Launchers often contain the malware that they’re designed to load.
• Launchers will often store malware within the resource section.
• When the launcher is run, it extracts an embedded executable or DLL from the
resource section before launching it.
• launcher use resource-manipulation API functions such as FindResource,
LoadResource, and SizeofResource.
• Malware launchers often must be run with administrator privileges or escalate
themselves to have those privileges
Process Injection
• The most popular covert launching technique is process injection
• Malware authors use process injection in an attempt to conceal the
malicious behavior of their code, and sometimes they use this to try
to bypass host-based firewalls and other process-specific security
mechanisms.
• Certain Windows API calls are commonly used for process injection.
• For example, the VirtualAllocEx function can be used to allocate space
in an external process’s memory
• WriteProcessMemory can be used to write data to that allocated
space.
DLL Injection
• DLL injection—a form of process
injection where a remote
process is forced to load a
malicious DLL—is the most
commonly used covert loading
technique.
• DLL injection works by injecting
code into a remote process that
calls LoadLibrary, thereby forcing
a DLL to be loaded in the context
of that process
DLL Injection
• The function CreateRemoteThread is commonly used for DLL injection to allow
the launcher malware to create and execute a new thread in a remote process.
• When CreateRemoteThread is used, it is passed three important parameters:
• the process handle (hProcess) obtained with OpenProcess, along with the
starting point of the injected thread (lpStartAddress) and an argument for that
thread (lpParameter).
• Malware authors generally use VirtualAllocEx to create space for the malicious
library name string.
• The VirtualAllocEx function allocates space in a remote process if a handle to
that process is provided.
Direct Injection
• Direct injection involves allocating and inserting code into the memory space of a remote
process.
• Direct injection uses many of the same Windows API calls as DLL injection.
• The difference is that instead of writing a separate DLL and forcing the remote process to
load it, directinjection malware injects the malicious code directly into the remote
process.
• Direct injection is more flexible than DLL injection, but it requires a lot of customized
code in order to run successfully without negatively impacting the host process.
• This technique can be used to inject compiled code, but more often, it’s used to inject
shellcode.
• Three functions are commonly found in cases of direct injection: VirtualAllocEx,
WriteProcessMemory, and CreateRemoteThread
Process Replacement
• some malware uses a method known as process replacement to overwrite
the memory space of a running process with a malicious executable.
• Process replacement is used when a malware author wants to disguise
malware as a legitimate process, without the risk of crashing a process
through the use of process injection.
• This technique provides the malware with the same privileges as the process
it is replacing.
• For example, if a piece of malware were to perform a process-replacement
attack on svchost.exe, the user would see a processname svchost.exe running
from C:\Windows\System32 and probably think nothing of it.
• Key to process replacement is creating a process in a suspended state
Process replacement is an effective
way for malware to appear
nonmalicious.

By masquerading as the victim

process, the malware is able to
bypass firewalls or intrusion
prevention systems (IPSs) and avoid
detection by appearing
to be a normal Windows process.
Hook Injection
• Hook injection describes a way to load malware that takes advantage
of Windows hooks, which are used to intercept messages destined for
applications.
• Malware authors can use hook injection to accomplish two things:
•  To be sure that malicious code will run whenever a particular
message is intercepted
•  To be sure that a particular DLL will be loaded in a victim process’s
• memory space
Local and Remote Hooks
• There are two types of Windows hooks:
•  Local hooks are used to observe or manipulate messages destined for an internal
process.
•  Remote hooks are used to observe or manipulate messages destined for a remote
process (another process on the system).
• Remote hooks are available in two forms: high and low level.
• High-level remote hooks require that the hook procedure be an exported function
contained in a DLL, which will be mapped by the OS into the process space of a
hooked thread or all threads.
• Low-level remote hooks require that the hook procedure be contained in the process
that installed the hook.
Keyloggers Using Hooks
• Hook injection is frequently used in malicious applications known as
keyloggers, which record keystrokes.
• Keystrokes can be captured by registering high- or low-level hooks using
the WH_KEYBOARD or WH_KEYBOARD_LL hook procedure types,
respectively.
• For WH_KEYBOARD procedures, the hook will often be running in the
context of a remote process, but it can also run in the process that
installed the hook.
• For WH_KEYBOARD_LL procedures, the events are sent directly to the
process that installed the hook, so the hook will be running in the
context of the process that created it.
Using SetWindowsHookEx
• The principal function call used to perform remote Windows hooking is
• SetWindowsHookEx, which has the following parameters:
• idHook Specifies the type of hook procedure to install.
• lpfn Points to the hook procedure.
• hMod For high-level hooks, identifies the handle to the DLL containing the
hook procedure defined by lpfn. For low-level hooks, this identifies the local
module in which the lpfn procedure is defined.
• dwThreadId Specifies the identifier of the thread with which the hook
procedure is to be associated. If this parameter is zero, the hook procedure is
associated with all existing threads running in the same desktop as the calling
thread. This must be set to zero for low-level hooks.
Thread Targeting
• When targeting a specific dwThreadId, malware generally includes
instructions for determining which system thread identifier to use, or it
is designed to load into all threads.
• Malware will load into all threads only if it’s a keylogger or the
equivalent
• Targeting a single thread requires a search of the process listing for the
target process and can require that the malware run a program if the
target process is not already running
• If a malicious application hooks a Windows message that is used
frequently, it’s more likely to trigger an IPS, so malware will often set a
hook with a message that is not often used, such as WH_CBT
Detours
• Detours is a library developed by Microsoft Research in 1999. It was originally
intended as a way to easily instrument and extend existing OS and application
functionality.
• Malware authors like Detours, too, and they use the Detours library to perform
import table modification, attach DLLs to existing program files, and add function
hooks to running processes.
• The malware modifies the PE structure and creates a section named .detour,
which is typically placed between the export table and any debug symbols.
• The .detour section contains the original PE header with a new import address
table.
• The malware author then uses Detours to modify the PE header to point to the
new import table, by using the setdll tool provided with the Detours library.
Detours
• shows a PEview of Detours being used to trojanize
notepad.exe.
• Notice in the .detour section at that the new
import table contains evil.dll, seen at Evil.dll will
now be loaded whenever Notepad is launched.
• Notepad will continue to operate as usual, and
most users would have no idea that the malicious
DLL was executed.
• Instead of using the official Microsoft Detours
library, malware authors have been known to use
alternative and custom methods to add a .detour
section.
APC Injection (Asynchronous
Procedure Call ).
• APCs can direct a thread to execute some other code prior to executing its regular
execution path.
• Every thread has a queue of APCs attached to it, and these are processed when the
thread is in an alertable state, such as when they call functions like
WaitForSingleObjectEx, WaitForMultipleObjectsEx, and SleepEx.
• Malware authors use APCs to preempt threads in an alertable state in order to get
immediate execution for their code.
• APCs come in two forms:
•  An APC generated for the system or a driver is called a kernel-mode APC.
•  An APC generated for an application is called a user-mode APC.
• Malware generates user-mode APCs from both kernel and user space using APC
injection.
APC Injection from User Space
• Thread can queue a function to be invoked in a remote thread, using the API function
QueueUserAPC.
• Because a thread must be in an alertable state in order to run a user-mode APC,
malware will look to target threads in processes that are likely to go into that state.
• The QueueUserAPC’s parameters: pfnAPC, hThread, and dwData.
• A call to QueueUserAPC is a request for the thread whose handle is hThread to run
the function defined by pfnAPC with the parameter dwData.
• Once a target-thread identifier is obtained, the malware uses it to open a handle to
the thread the malware targeted svchost.exe, which is a popular target for APC
injection because its threads are often in an alertable state.
• Malware may APC-inject into every thread of svchost.exe just to ensure that
execution occurs quickly.
APC Injection from Kernel Space
• Malware drivers and rootkits often wish to execute code in user
space, but there is no easy way for them to do it.
• One method they use is to perform APC injection from kernel space to
get their code execution in user space.
• A malicious driver can build an APC and dispatch a thread to execute
it in a user-mode process (most often svchost.exe).
• APCs of this type often consist of shellcode.
• Device drivers leverage two major functions in order to utilize APCs:
KeInitializeApc and KeInsertQueueApc
• The APC first must be initialized with a call to
KeInitializeApc.
• If the sixth parameter (NormalRoutine)  is non-
zero in combination with the seventh parameter
(ApcMode)  being set to 1, then we are looking
at a usermode type.
• KeInitializeAPC initializes a KAPC structure,
which must be passed to KeInsertQueueApc to
place the APC object in the target thread’s
corresponding APC queue.
• the malware targeted svchost.exe, but to make
that determination, we would need to trace
back the second-to-last parameter pushed
• on the stack to KeInitializeApc.
• This parameter contains the thread that will be
injected.