Hacking, Malware

Some notes on malware – Part 2

Keyloggers

  • Software based.
  • Hardware based.
  • User/Kernel based.
  • Windows/Linux based.
  • Hook based.

Typical install locations
This is rather a long list, a few examples follow:

Windows

  • Application Data\Microsoft\
  • System\filename.dll
  • Program Files\Internet Explorer\filename.dll
  • Program Files\Movie Maker\filename.dll
  • All Users Application Data\filename.dll
  • Temp\filename.dll

Linux

  • /bin/login
  • /bin/.login
  • /bin/ps
  • /etc/
  • /etc/rc.d/
  • /tmp/
  • /usr/bin/.ps
  • /usr/lib/
  • /usr/sbin/
  • /usr/spool/
  • /usr/scr/

Local Drives installation
Malware propagates on :

  • Every drive accessible on the host.
  • Local or mapped network shares (if it has permissions).
  • Obfuscated file locations on secondary partitions.

Altering timestamps
Modifies:

  • Timestamp to hide from first glance inspections.
  • System install dates.
  • System file dates.
  • etc.

Common Processes hooking

Windows

  • explorer.exe
  • services.exe
  • svchost.exe
  • iexplorer.exe
  • etc.

Linux

  • apached
  • ftpd
  • rpc.statd
  • lpd
  • syncscan
  • update
  • etc.

Common services being disabled

  • Windows automatic update service.
  • Background intelligent transfer service.
  • Windows security center service.
  • Windows defender service.
  • Windows error reporting service.

Common registry paths being used/altered

  • HKLM\SYSTEM\CurrentControlSet\Services\
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\