Encryption algorithms
seen in the wild range from simple XOR encodings to compact ciphers such as the Tiny
Encryption Algorithm (TEA), and occasionally more sophisticated ciphers such as DES.
The need for self-sufficiency tends to restrict malware to the use of symmetric ciphers,
which means that decryption keys must be contained within the malware itself. Malware
authors often try to hide the presence of their keys by further encoding or splitting the keys
using some easily reversible but hopefully difficult to recognize process. Recovery of any
decryption keys is an essential step for reverse engineering any encrypted malware.
User Space Hiding Techniques
Malware has been observed to take any number of steps to hide its presence on an
infected system. By hiding in plain sight within the clutter of the Windows system directory
using names that a user might assume belong to legitimate operating system components,
malware hopes to remain undetected. Alternatively, malware may choose to
create its own installation directory deep within the install program??™s hierarchy in an
attempt to hide from curious users. Various techniques also exist to prevent installed
antivirus programs from detecting a newly infected computer.
Pages:
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904