Dismiss this notice
ExpressVPN Valentines 2021 Giveaway - https://www.geeks.fyi/showthread.php?tid=14246

Dismiss this notice
Internet Download Manager Giveaway - https://www.geeks.fyi/showthread.php?tid=14245

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
What is a Malicious App and How to Spot One?
[Image: heimdal-logo.svg]

Malicious App Definition. Blacklisting and Whitelisting Apps. Protecting Your Assets against Malicious Apps

We’re all familiar with terms such as “threat-hunting”, “boots on the ground Intelligence” or “DNS traffic filtering.” Going back to one’s roots is always a good idea and today I’ll do just that. This article is dedicated to malicious applications. Indeed, we are going to talk about the malicious app definition, what makes an app malicious, typical behavioral patterns, and how to protect your digital assets against malicious applications. As always, stay safe and enjoy your Friday afternoon read.

Defining Malicious Applications

So, what is a malicious application? According to the paper “The World of Malware: An Overview” a malware is defined as:
Quote:“a program code that is hostile and often used to corrupt or misuse a system. Introducing malware into a computer network environment has different effects depending on the design intent of the malware and the network layout. Malware detection and prevention systems are bypassed by malicious files in computer systems as malware becomes more complex and large in numbers”.

Mind you that this definition is not all-encompassing, mostly because it does not factor in pseudo malicious endeavors such as hacktivism. Anyway, from this definition we can infer the following aspects related to malicious apps:
  • A malicious app is a software or piece of code designed for nefarious purposes. As practice shows us, these purposes can range from recon (i.e., gathering intel on a designated target to track movement and identify vulnerabilities) to intentionally damage tangible or intangible assets (i.e., pre-attack actions undertaken to weaken cyber-defenses).
  • A malicious application has evasion capabilities. As you know, most of the apps we have installed on our endpoints are digitally-signed and are, as we say, out there in the open. Malicious apps use various TTPs (Tactics, Techniques, and Procedures) to evade digital signature enforcement or even to masquerade as legitimate applications. Obfuscation, as it is called in cybersecurity, is an important property of malware. Without it, even the most basic antivirus or firewall, or antimalware solution can detect the malicious app.
  • Malicious apps are protean in nature. In the malware world, continuous evolution equals survival. If malware developers (hackers) cannot keep up with all the developments in cybersecurity, their creations become utterly useless.
So, by design, malicious apps are ‘slingshotted’ into the open with the intent of harming, eavesdropping or soften up defenses. Now, the question at hand here is how do we identify malicious applications? Studying their behavior might give us some clues. Let’s take a look at some of them.

Typical Malicious Behavior

Here are some of the most common behavioral patterns of malicious applications.

Grabbing credentials

Any application that is designed to extract credentials through packet sniffing, keylogging, ‘dumpster diving’ or other methods can be considered malicious. Of course, the best defense would be to deploy and use an efficient antimalware solution.

Process injection

Any type of activity that supersedes normal system processes by introducing malicious binaries or code pieces should be labeled as malicious. The ‘most’ targeted system processes are regsvr32.exe and svchost.exe.

Dynamic-Link Library injection and\or replacement

Any type of action undertaken to externally manipulate a functioning DLL (i.e., writing a path to a DLL found inside an app’s process and then executing malicious code via a remote-controlled thread) is considered malicious behavior. In some cases, the legit DLLs can be swapped with fake (and malicious) processes. This is called DLL replacement.

Hook injection

In some instances, attackers might use the hook injection technique in order to gain access to core memory functions. This technique involves loading and running a piece of malicious code inside the environment of a running program.

Registry persistence

It’s not uncommon for a previously removed program to linger in the Windows registry. Of course, these ‘breadcrumbs’ can be successfully cleared with tools such as CCleaner, AVG PC Tune-up Utilities, or CleanMyPC. However, when those bits won’t go away and they start modifying registry keys or values, you might have a malicious app on its hand. Word of caution: do not reboot or shut down your PC if you have a registry ‘worm’. Doing so will only grant the malicious app more rights.

‘Trojanazing’ commonly used system binaries

Although an uncommon malicious technique, it’s deadly efficient and quite hard to detect and root out. The purpose of this action is to compromise commonly used system binaries, effectively turning them into bit-sized trojans. This is achieved through fake patching. Once the fake binaries are loaded and run, they will grant hackers access to key memory areas.

Hijacking the DLL load order

Every time your computer boots, the OS will start looking for DLLs. Why? Because executables love DLLs and DLLs relish on executables. This is done, of course, in a certain order. Here’s the catch: if the path to a specific DLL is not hard coded (i.e., set in stone), a malicious piece of code can be introduced in this search order, which would result in the executable loading it.
Continue Reading

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
COVID-19 Vaccine Spear-Phishing Attacks ...
As Moderna, Pfizer...silversurfer — 16:49
Malaysia Air Downplays Frequent-Flyer Pr...
Malaysia Airlines ...silversurfer — 16:46
Unpatched Bug in WiFi Mouse App Opens PC...
The mobile applica...silversurfer — 16:43
GFYI [Official] ExpressVPN Valentines 2...
"What are the f...Imran — 16:20
Is the Windows 10 app Microsoft Update H...
The Microsoft Upda...harlan4096 — 11:46

Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (39)gapedDow
avatar (33)snorydar
avatar (38)Hectorvot
avatar (46)knowhanPluts
avatar (34)Williamengiz
avatar (41)qaqapeti
avatar (39)battsourIonix
avatar (38)CedricSek
avatar (34)chasRex
avatar (38)slavrProck
avatar (40)Tyesharaike
avatar (44)TomeRerla
avatar (46)tersfargum
avatar (45)alfreExept
avatar (40)walllMIZ
avatar (36)oconyho
avatar (28)uteluxix
avatar (42)piafcflene
avatar (34)Matthewkah
avatar (33)Charlesfibre
avatar (37)napasvem
avatar (39)diploJeoca
avatar (33)francisnj3
avatar (38)artmaGoork
avatar (40)tukraNax
avatar (44)Eddiemek
avatar (36)RichardCisee
avatar (35)ebenofit
avatar (33)ykazawu

Online Staff
harlan4096's profile harlan4096
Mohammad.Poorya's profile Mohammad.Poorya