Hello uredditors!
Thanks for your interest in the “Analyzing deep system stealth malware class” (for those who didn’t come to this post from ureddit.com, the class announcement is here).
We’ve always had sequences of our existing classes which build toward specific knowledge areas. But we wanted to call this out explicitly, and ureddit seemed like a good way to do this. You’ve just taken the first step toward understanding how rootkits and other stealth malware are able to hide and persist in their infection of a compromised system. This is a deep technical class series, not at all high level in its description of how things work, so it’s not for those with just a passing interest. It’s for people who want an excellent technical understanding of exact mechanisms used by malware.
The first thing you need to know is how x86 assembly language works. This is because one of the most prevalent malware techniques is “inline hooking”, which involves changing assembly to redirect execution to attacker code.
The second thing you need to know is how some OS internals work. This is because an attacker can manipulate them to create keystroke and network traffic loggers, hide their memory from security tools, and make it so reverse engineering tools like debuggers won’t work.
The third thing to know is how Windows’ PE binaries work. The previously mentioned inline hooking is one common way for attackers to hide things in user-mode malware, but the other most common way is by manipulating in memory a table used by binaries to call functions (the Import Address Table(IAT)). This class will introduce you to that, as well as how the PE header knowledge is utilized by malware like packers and viruses.
Finally you will cap off the class learning how stealth malware uses knowledge from the previous classes. But you will also see a plethora of malware techniques not covered in the previous classes.
Keep in mind each page lists a class forum site where you can post your questions. Good luck, and have fun!
Saturday, August 25, 2012