By specifying a value for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run registry key, for example, a program can be named to start
each time a user logs in.
Other registry manipulations include installing malware components as extensions
to commonly used software such as Windows Explorer or Microsoft Internet Explorer.
More recently, malware has taken to installing itself as an operating system service or
Chapter 21: Hacking Malware
523
PART V
Gray Hat Hacking: The Ethical Hacker??™s Handbook
524
device driver so that components of the malware operate at the kernel level and are
launched at system startup.
Reference
Alisa Shevchenko www.net-security.org/article.php?id=1028
Peeling Back the Onion??”De-obfuscation
One of the most prevalent features of modern malware is obfuscation. Obfuscation is the
process of modifying something so as to hide its true purpose. In the case of malware,
obfuscation is used to make automated analysis of the malware nearly impossible and to
frustrate manual analysis to the maximum extent possible. There are two basic ways to
deal with obfuscation. The first way is to simply ignore it, in which case your only real
option for understanding the nature of a piece of malware is to observe its behavior in a
carefully instrumented environment as detailed in the previous chapter.
Pages:
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907