Behavior Instances

From ema
Jump to: navigation, search

A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families.

Name Applicable Platform Associated Behavior Description
API Call: DeviceIoControlFile BehaviorInstance-Windows.png steal web/network credential Hooking Nt/ZwDeviceIoControlFile can allow for network sniffing by inspecting the data on a network interface, through its device driver.
API Call: getInstalledPackages BehaviorInstance-Android.png inventory security products getInstalledPackages is used to get the list of installed Packages on the device, and is then compared against a list of security products using a regular expression or other method.
API Call: GetVolumeInformation BehaviorInstance-Windows.png compare host fingerprints Abusing this API call on Windows can give an attacker the GUID on a system drive. This can then be compared to a running host's GUID value and can execute malicious code if the GUID values are consistent.
API Call: HttpSendRequest BehaviorInstance-Windows.png steal web/network credential Hooking HttpSendRequest can allow for the sniffing of data contained inside HTTP requests, which may include web/network credentials.
API Call: IsDebuggerPresent BehaviorInstance-Windows.png detect debugging The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.
API Call: restartPackage BehaviorInstance-Android.png stop execution of security software Calling restartPackage on an already executing piece of security software can stop its its execution on a device.
API Call: TranslateMessage BehaviorInstance-Windows.png capture keyboard input The capture keyboard input behavior is implemented by hooking the user32!TranslateMessage API call. As an example (from SpyEye), in response to each WM_KEYDOWN message, the hook procedure calls GetKeyboardState and ToUnicode(lpMsg → wParam), then appends the corresponding wide character to a buffer.
Control Graph Flattening BehaviorInstance.png defeat linear disassembler Flattening the control flow of each function by first breaking up the nesting of loops and if-statements, and then hiding each of them in a case of a large switch statement, that is wrapped inside the body of a loop.
CryptoAPI BehaviorInstance-Windows.png encrypt files The Microsoft CryptoAPI includes functions to encrypt and decrypt data; these are commonly imported and used by malware (particularly ransomware) to encrypt user data/files on a system.
Debugger Artifacts BehaviorInstance.png detect debugging Detects a debugger by its artifact (window title, device driver, exports, etc.)
DYLD_INSERT_LIBRARIES Exploitation BehaviorInstance-Mac OS X.png persist after system reboot In Mac OSX, DYLD_INSERT_LIBRARIES can be abused to load malicious libraries to ensure that a malicious library will persistently be loaded into a targeted process whenever that process is started.
Extended/Different Instruction Sets BehaviorInstance.png defeat emulator Emulators may be blocked through the use of different opcodes sets (ex: FPU, MMX, SSE).
Extra Loops/Time Locks BehaviorInstance.png defeat emulator Extra loops may be added to make time-constraint emulators give up.
Guard Pages BehaviorInstance.png prevent physical memory acquisition Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Guest Process Testing BehaviorInstance-Windows.png detect VM environment Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
HTML5 Performance Object BehaviorInstance-Windows.png detect VM environment In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
Injected DLL Testing BehaviorInstance-Windows.png detect sandbox environment Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.
Instruction Overlap BehaviorInstance.png defeat linear disassembler Jumping after the first byte of an instruction. Confuses some disassemblers.
Kernel Extension (Kext) Rootkit BehaviorInstance-Mac OS X.png persist after system reboot On Macs, Kext (kernel extension) rootkits can be created via the Generic Kernel Extension template in XCode and exist in the kernel even after reboots.
Launch Daemon and Launch Agent Exploitation BehaviorInstance-Mac OS X.png persist after system reboot On Macs, launch daemons and launch agents can be abused to gain mailware persistence.
Launchd.conf Exploitation BehaviorInstance-Mac OS X.png persist after system reboot launchd is the first user-mode program to execute during OS X’s initialization. The launchd.conf file contains configuration parameters for launchd. As launchd.conf can contain arbitrary commands (via the bsexec command), malware can inject malicious instructions in order to achieve persistence.
Malicious Network Driver BehaviorInstance-Windows.png persist after system reboot Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can reinfect the server if it is restarted, can infect other machines on the network, and can redirect traffic on the network as they please.
Named System Object Checks BehaviorInstance-Windows.png detect VM environment Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
OpCode Frequency Distribution BehaviorInstance.png fingerprint host Needs to be revisited
Private API Exploitation BehaviorInstance-iOS.png persist after system reboot On iOS, private APIs can be abused in the iOS system to implement malicious functionalities.
Process Environment Block (PEB) BehaviorInstance-Windows.png detect debugging The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.
Product Key/ID Testing BehaviorInstance-Windows.png detect sandbox environment Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
Router Firmware Image Modification BehaviorInstance-iOS.png persist after system reboot Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor.
Screen Resolution Testing BehaviorInstance-Linux.png detect sandbox environment Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.
Surreptitious Application Installation BehaviorInstance-Mac OS X.png persist after system reboot In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
Timing/Date Checks BehaviorInstance-Windows.png detect sandbox environment Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Delay Checks BehaviorInstance.png detect debugging Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
UEFI Bootloader Injection BehaviorInstance-Mac OS X.png persist after os changes Mac's UEFI bootloader can be exploited in a number of ways via an EFI DXE driver that attacks the system as opposed to the supporting hardware.
Undocumented Opcodes BehaviorInstance.png defeat emulator Use of rare or undocumented opcodes to block non-exhaustive emulators.
Unusual/Undocumented API Calls BehaviorInstance.png defeat emulator Unusual APIs are called to block non-exhaustive emulators (particularly anti-virus).
Web Injection BehaviorInstance-Mac OS X.png autonomous remote infection On Macs, unpatched versions of applications can be exploited via malicious websites.
Windows Shutdown Event BehaviorInstance-Windows.png persist after system reboot In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.