Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Hiding malware in Windows – The basics of code injection
Message
<blockquote data-quote="Eddie Morra" data-source="post: 770229"><p>It's pretty common with old samples which rely on a Command and Control (C&C) server because those servers get taken down quite quickly and then the sample won't work properly. Even if the malware author doesn't take down the C&C, if the malware spreads far enough, you can bet legal action will be taken by authorities to try and take it down by force (or illegally without permission by cyber-vigilantes).</p><p></p><p>Then there's the case of certain features being disabled on the machine, or limitations depending on the environment. For example, a sample might be dependent on a feature which isn't installed on the machine or is disabled, and may not have a backup plan (such as force-enabling or installing the required feature). An example of this would be where a malicious campaign is pushed out to an organisation which relies on a macro in an office document, but macro's are disabled on the environment and cannot be enabled by the business customer, only the administration team. Another example would be a newer version of the .NET Framework being used, or the VC++ run-time not being statically linked, while different versions are available on the environment.</p><p></p><p>This is why it can be stressful when testers are using old samples and are testing the product you helped build in a team for several years, only for it to look bad because while it looks like the samples got through, not all of the samples being used were actually doing anything malicious on the environment. This is why it is pretty crucial for testing to be performed with samples which have been checked within a reasonable time-frame of the test, preferably the test being carried out by someone who is equipped to handle such analysis. Albeit such is rare unless it is a professional testing organisation, which is completely understandable in my humble opinion.</p><p></p><p>I know this is a bit off-topic, but it just seemed like the perfect opportunity to note that.</p></blockquote><p></p>
[QUOTE="Eddie Morra, post: 770229"] It's pretty common with old samples which rely on a Command and Control (C&C) server because those servers get taken down quite quickly and then the sample won't work properly. Even if the malware author doesn't take down the C&C, if the malware spreads far enough, you can bet legal action will be taken by authorities to try and take it down by force (or illegally without permission by cyber-vigilantes). Then there's the case of certain features being disabled on the machine, or limitations depending on the environment. For example, a sample might be dependent on a feature which isn't installed on the machine or is disabled, and may not have a backup plan (such as force-enabling or installing the required feature). An example of this would be where a malicious campaign is pushed out to an organisation which relies on a macro in an office document, but macro's are disabled on the environment and cannot be enabled by the business customer, only the administration team. Another example would be a newer version of the .NET Framework being used, or the VC++ run-time not being statically linked, while different versions are available on the environment. This is why it can be stressful when testers are using old samples and are testing the product you helped build in a team for several years, only for it to look bad because while it looks like the samples got through, not all of the samples being used were actually doing anything malicious on the environment. This is why it is pretty crucial for testing to be performed with samples which have been checked within a reasonable time-frame of the test, preferably the test being carried out by someone who is equipped to handle such analysis. Albeit such is rare unless it is a professional testing organisation, which is completely understandable in my humble opinion. I know this is a bit off-topic, but it just seemed like the perfect opportunity to note that. [/QUOTE]
Insert quotes…
Verification
Post reply
Top