malware replacing legitimate system components

0001-01-01

A common tactic of malware is to replace legitimate components of a system with modified, malicious versions.

For example, the ping program on Linux and Unix-like operating systems is commonly setuid root due to it using raw sockets. An attacker may add a feature to ping that spawns a shell when certain command line parameters or an environment variable are set.

The Universal Rootkit by K2 is an old school example of this in which several commands are replaced with modified copies that mask information pertaining to the attacker from sysadmins and incident responders.

On Windows, DLL proxying can be used. This is a technique where a legitimate DLL is replaced by a malicious DLL that loads the good copy of the dll into memory, resolves its symbols, and places a shim function in their malicious DLL for each of the good DLL’s exports. The attacker can place code in a shim function of their choosing that when certain parameters are met, it performs a malicious act such as triggering a reverse shell.


Links to this note