malware blending in with the system

0001-01-01

malware will often attempt to blend in with the system as an anti-analysis technique.

The basic theory is that if an attacker places malicious files in locations typical of certain file types, with generic or benign-looking filenames, or name their process in a similarily generic way, it will fool the systems administrators and incident responders into thinking that it should be there.

some examples are the Skidmap malware logging credentials to /usr/include/ilog.h. /usr/include has hundreds/thousands of header files (.h), so this likely wouldnt stand out to an average admin; it has a generic name and the file extension is similar to the rest of the files in that directory.

Many examples of Linux malware rename themselves by overwriting argv to something like [kthread-2.0], disgusing their process as a kernel thread, or /usr/bin/httpd, disguising their malware as a web server process.


Links to this note