Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Interesting .NET malware disassembly
Message
<blockquote data-quote="Andy Ful" data-source="post: 897011" data-attributes="member: 32260"><p>If I would like to hide the shellcode in the malware, then the best method would be to use a large portion of suspicious & highly obfuscated "dead" code which does only innocent things. Some fragments could be the obfuscated bullshit which does not make any sense and might be executed only in the past (so it will not break anything now and in the future). It would be hard and time-consuming to find the right malicious code, especially when the malware does not trigger malicious actions in the VM or analyst's sandbox.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite132" alt=":unsure:" title="Unsure :unsure:" loading="lazy" data-shortname=":unsure:" /></p><p></p><p>Another problem can be with targetted malware which uses some already known information about the targetted system to create a private decryption key. This key is created on the fly on any machine, but will successfully decrypt the malicious code only on the right machine.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite111" alt=":(" title="Frown :(" loading="lazy" data-shortname=":(" /></p><p></p><p>All of the above and some other more sophisticated methods are known for years. The malc0ders rarely use them because much simpler methods still work.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 897011, member: 32260"] If I would like to hide the shellcode in the malware, then the best method would be to use a large portion of suspicious & highly obfuscated "dead" code which does only innocent things. Some fragments could be the obfuscated bullshit which does not make any sense and might be executed only in the past (so it will not break anything now and in the future). It would be hard and time-consuming to find the right malicious code, especially when the malware does not trigger malicious actions in the VM or analyst's sandbox.:unsure: Another problem can be with targetted malware which uses some already known information about the targetted system to create a private decryption key. This key is created on the fly on any machine, but will successfully decrypt the malicious code only on the right machine.:( All of the above and some other more sophisticated methods are known for years. The malc0ders rarely use them because much simpler methods still work. [/QUOTE]
Insert quotes…
Verification
Post reply
Top