Hiding in Plain Sight

One of the most used malware names to hide was svchost.exe.

Malware often tries to hide in plain sight and tries to look like a legitimate process. A great overview about legitimate windows process hierarchies is the SANS Hunt Evil Poster1.

Common Malware Names

  • svchost.exe
  • iexplorer.exe
  • explorer.exe
  • lsass.exe
  • win.exe
  • winlogon.exe

Often used locations

  • Windows\System32
  • \Temp folders
  • \Windows
  • \WinSxS folder
  • \System Volume Information
  • $Recycle Bin
  • \Program files
  • Temporary Internet files

Techniques to hide malware

Rogue Processes

A rogue process is trying to look like a legitimate process by using similar names or executing from “wrong” directories. Other techniques are using malicious DLLs executed through rundll32.exe, malicious services with svchost.exe or process injection.

Code Injection and Rootkits

Code injection and rootkits are ways to hide malware from normal analysis methods. Luckily they can easily be detected with the help of memory analysis. Beside of software debugging there are no legitimate reasons to use code injection. It’s easy to utilize because it is not relying on low-level programming knowledge, therefore it’s quite popular under malware authors. Therefore, any signs of code injection should be investigated further.

Rootkits describes a malware family that tries to hide the activities and data. It’s often invisible for standard tools like task manager or security products. Fortunately they are rare, because it is hard to create a rootkit that works on several windows versions. The normal way to detect rootkits is to compare the output of the OS tools with specialized tools and check if there are differences. Common tools for this job are GMER2 or Sysinternals RootkitRevealer3. As an alternative, it is possible to use offline memory analysis. This technique does not rely on the compromised OS, and it is possible to detect unlinked processes or suspicious function hooks.

Unknown Services

In order to conserve resources, many services DLLs are grouped together and run under a smaller set of svchost.exe instances, which are Windows generic service host processes. The service configuration as well as device driver configurations are stored in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. Here we can find all details about the service like service name, display name, parameters and more.

  1. SANS Hunt Evil Poster ↩︎

  2. GMER ↩︎

  3. RootkitRevealer ↩︎

Introduction / Frameworks →