Members
  • Total Members: 12818
  • Latest: martin
Stats
  • Total Posts: 28534
  • Total Topics: 8240
  • Online Today: 1024
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Malware Authors Employ Variety to Evade Security Detection  (Read 700 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Malware Authors Employ Variety to Evade Security Detection
« on: 02. September 2013., 10:08:09 »
Malware Authors Employ Variety to Evade Security Detection

In the McAfee Labs blog we have covered many techniques that malware uses to evade code-based detection. In my previous blog I discussed procedure prologue and procedure epilogue techniques to evade security systems. We recently came across one more set of fake-alert samples that use a different technique to evade detection. This technique is related to the dynamic loading of a library at runtime.

Dynamic Loading

Dynamic loading is a mechanism by which a program loads a library into memory at runtime so that the addresses of the functions and variables contained in the library can be executed or accessed. Dynamic loading is done using an API LoadLibrary, which takes a string argument (the name of the library to be loaded).

The following screenshot is a typical LoadLibrary code with argument.



A typical LoadLibraryExA API code with argument.

The preceding pattern can easily be identified by both behavior- and code-based detection. That’s why we now see different ways of passing the argument to the LoadLibrary API in some fake-alert malware families. The following screenshots illustrate four sets of code that serve the same purpose of moving the required argument into the stack.



First pattern for moving arguments.



Second pattern for moving arguments.



Third pattern for moving arguments.



Fourth pattern for moving arguments.

Malware authors are always searching for new techniques to evade detection, but eventually their techniques are discovered and blocked by security researchers. McAfee detects all the variants that use these techniques.


Original article: Sunday, September 1, 2013 at 9:02pm by Arvind Gowda
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Malware Authors Employ Variety to Evade Security Detection
« on: 02. September 2013., 10:08:09 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising