Académique Documents
Professionnel Documents
Culture Documents
Infiltration
Basic encryption
Basic and easily cracked: XOR encoding, Base64 encoding, ROT-13 cipher encryption
Oligomorphism
Polymorphism
Malware code is encrypted in a different method for each victim, which affects the size
and/or shape of code.
Metamorphism
Malware code is different every time it is propagated to a new victim the techniques
used in polymorphism are applied to the code itself.
Debugger detection
Malware is able to detect when it is being ran within a debugger, and hide functionality.
Binary packing
A packer, or compression engine, is used to compress code and prevent static analysis.
Replaces binary files from legitimate applications with malicious files; they can also hijack
programs and perform malicious acts on their behalf.
The kernel is the core of the operating system, and programs run on top of this. Therefore,
the anti-malware software (also running on the kernel) is unable to detect the root kit. This
causes instability on the target machine.
Virtual root kits place themselves on top of the boot loader, and then boot the target
operating system within themselves, in a manner similar to a virtual machine. They
therefore control all data flowing from the OS.
Boot kit
This allows an attacker to infect start-up code like the Master Boot Record (MBR), Volume
Boot Record (VBR) or boot sector, and in this way, can be used to attack systems with full
disk encryption.
These are embedded within the firmware of devices such as network devices, and the root
kit is therefore available for as long as the device is. Attempts to delete the software result
in reinstallation on next reboot.
Exfiltration
HTTP(S)/FTP
Use of standard file transfer ports for traffic transfer, or of HTTP POST
SSH tunnel
IRC messaging
Bluetooth/Wi-Fi
Cloud services
DNS tunnelling
Use of UDP DNS requests for subdomains with data in the subdomain
Operation
The running or operation of
malware is disguised in order
to prevent detection and
removal by anti-virus or antimalware.