Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
New powerful malware obfuscation technique
Message
<blockquote data-quote="PhantomHacker" data-source="post: 906985" data-attributes="member: 89087"><p>Due to 25 pages on academic english are hard to read, I want to sum up the most important facts:</p><ul> <li data-xf-list-type="ul">An additional desktop will be created. The Windows Explorer (WE) will be opened on this desktop. Afterwards, the command will be inserted into its input box and confirmed for execution by sending corresponding Windows Messages. The victim will NOT see a CMD or any up popping window due to all these actions do not happened on the victim's current desktop.</li> <li data-xf-list-type="ul">Phantom Malware splits up its malicious actions into a sequence of non-malicious SendMessage WinAPI calls. (see VI. ANALYSIS → A. FAILURE OF ANTI-VIRUS SOFTWARE).</li> <li data-xf-list-type="ul">The WE is a preinstalled file manager and a fundamental part of the desktop environment of Windows, which makes this process trustworthy. Due to inserting and confirming a malicious command in the WE's input box, this trusted system process is manipulated to execute the command. Antivirus software will not block actions of a trusted system because it is considered bad practice. Besides, the operating system including modules of anti-virus software, such as behavior blockers, are fooled into perceiving that the user themselves has done the command insertion and its confirmation. In other words, it mistakenly looks like the execution of the malicious command has a legit basis with the user having intended the execution. (quoted form IX. CONCLUSION)</li> </ul></blockquote><p></p>
[QUOTE="PhantomHacker, post: 906985, member: 89087"] Due to 25 pages on academic english are hard to read, I want to sum up the most important facts: [LIST] [*]An additional desktop will be created. The Windows Explorer (WE) will be opened on this desktop. Afterwards, the command will be inserted into its input box and confirmed for execution by sending corresponding Windows Messages. The victim will NOT see a CMD or any up popping window due to all these actions do not happened on the victim's current desktop. [*]Phantom Malware splits up its malicious actions into a sequence of non-malicious SendMessage WinAPI calls. (see VI. ANALYSIS → A. FAILURE OF ANTI-VIRUS SOFTWARE). [*]The WE is a preinstalled file manager and a fundamental part of the desktop environment of Windows, which makes this process trustworthy. Due to inserting and confirming a malicious command in the WE's input box, this trusted system process is manipulated to execute the command. Antivirus software will not block actions of a trusted system because it is considered bad practice. Besides, the operating system including modules of anti-virus software, such as behavior blockers, are fooled into perceiving that the user themselves has done the command insertion and its confirmation. In other words, it mistakenly looks like the execution of the malicious command has a legit basis with the user having intended the execution. (quoted form IX. CONCLUSION) [/LIST] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
