One technique
for embedding these additional components within Windows malware is to make use
of the resource sections within Windows binaries.
NOTE The resources section within a Windows PE binary is designed to
hold customizable data blobs that can be modified independently of the
program code. Resources often include bitmaps for program icons, dialog box
templates, and string tables that make it easier to internationalize a program
through the inclusion of strings based on alternate character sets.
Windows offers the capability to embed custom binary resources within the resource
section. Malware authors have taken advantage of this capability to embed entire binaries
such as additional executables or device drivers into the resource section. When the
malware initially executes, it makes use of the LoadResource function to extract the
embedded resource from the malware prior to saving it to the local hard drive.
Use of Encryption
In the past it was not uncommon to see malware that used no encryption at all to hinder
analysis. Over time malware authors have jumped on the encryption bandwagon as a
means of obscuring their activities, whether they seek to protect communications or
whether they seek to prevent disclosure of the contents of a binary.
Pages:
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903