When examining malicious software, the analyst looks for several categories of traits that malware often possess. Keeping these categories in mind during the reverse-engineering process helps avoid gaps in coverage, leading to a comprehensive report about the specimen's characteristics:
- Propagation: How does the specimen spread? Malware may spread using networks and mobile media. It may exploit vulnerabilities in server or client-side software. It may have an element of social engineering, and may be loaded by the intruder manually. Propagation may be autonomous (as is the case with many worms) and may require user involvement (such as launching an email attachment).
- Infection: How does the specimen embed itself in the system? Malware may run once, or may maintain remain on the system via auto-run features. Run-once specimens may store themselves solely in memory. Malware may be packed, or may assembly itself dynamically by downloading additional components. Malware may attach itself to benign programs, or may function as a standalone process. Specimens also differ in the degree to which they resist disinfection attempts.
- Stealth: How does the specimen conceal its presence? Malware may attempt to avoid signature-based detection by changing itself. It may time its actions to take place during busy time periods or to occur slowly, so that they don't stand out. It may embed itself within existing processes or network streams, modify OS functionality, and take other creative measures to decrease the chances that its presence will be discovered.
- Capabilities: What "business purpose" does the specimen serve? Malicious software may be designed to collect data, perhaps by sniffing the network, recording keystrokes and screenshots, and locating sensitive files. Malware may also be programmed to wreck havoc on the system, perhaps by deleting or corrupting data, or to act as a pivoting point for attacking other systems. It may also provide the attacker with remote access to the system via a backdoor.
There are several additional categories of traits to consider. These may be considered a subset of the "capabilities" category. However, because modern malware often exhibits these characteristics, it makes sense to call them out separately:
- Exfiltration: How, if at all, does the specimen transmit data out of the affected environment? Malicious software may send captured data over the network using clear-text and encrypted channels, and may rely on ICMP, HTTP, SMTP, and many other standard and custom protocols. Malware may also store data locally, waiting for the attacker manually copy it off the infected system.
- Command and Control: How, if at all, does the specimen receive updates and instructions? Malicious software may receive commands from the attacker by opening a local network port or by making outbound connections to the attacker's system using protocols such as DNS, HTTP, SMTP, or other client-server and peer-to-peer protocols. Malicious executables often have the ability to upgrade themselves according to a predefined schedule or via the attacker’s request.
Are any common malware characteristics missing from the groupings above? If so, please let us know.
Liked this? Post it to Twitter!
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.
Sep 25th 2009