Evasion through (self) Injection II

Fraser’s article Evasion through Injection outlined how and why malware employs injection to evade runtime detection however a different style of âself injectionâ or loading is also being used to avoid detection on disk.

The basic concept is that of a letter-envelope idiom, where a generic âenvelopeâ is used to deliver a third-party malware component to the compromised computer. The difference between a regular dropper though is that the delivered component is never written to disk in an attempt to avoid On-Access scanners.

Troj/Agent-GUP is one example of such a letter-envelope which begins by decoding the loader code (the “envelope”) which then decrypts an embedded executable (the âletterâ)

Now instead of injecting the executable into another process, it simply hooks up the imports and transfers execution to the guest’s entrypoint.

A similar example of this technique is used by Troj/EncLoad-A and although this technique is not new it does indicate the various techniques being used by malware authors to avoid detection both on disk and in memory.

Posted on April 4th, 2008 by Pete, SophosLabs AU
Filed under: General, Malware

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog