Today, the most common use for reverse engineering is in targeting malware. Like any

other software, malware has its installation process. The difference is that it does not ask for

the user’s permission to install. Malware does not even install in the Program files folder

where other legitimate applications are installed. Rather, it tends to install its malware file

in folders that are not commonly entered by the user, making it hidden from being noticed.

However, some malware shows up noticed and generates copies of itself in almost all

noticeable folders such as the desktop. Its purpose is to get its copies executed by users, be

it by accidental double-click or by curiosity. This is what we usually call malware

persistence.

Persistence is when malware consistently runs in the background. In this chapter, we will

be pointing out general techniques used by malware to become persistent. We will also

explain common locations where malware files are stored. Major behaviors of malware and

some tools that are capable of identifying how the malware installs itself in the system will

also be shown. Understanding how malware is delivered will definitely help a reverse

engineer explain how the attacker was able to compromise the system.

Current Malware Detection Methods

Currently, the most used methods of malware detection are anti-malware signatures, heuristic analysis and runtime behavioral audits.

An anti-malware signature, or commonly called signature or definition, is an algorithm or hash that is used to uniquely identify malware. Signatures are representations of either complete files or pieces of code that have already been discovered as malicious. This is the most commonly used way to identify and take action against malware today.

Heuristic analysis is the process of analyzing how the code is written and determining if it is malicious or not based on assumptions of the code’s intended purpose. Heuristics take commonly-known indicators into account to land on a final conclusion. This approach can, however, lead to many false positives, which is why heuristic analysis is almost always used in combination with another method of identification.

Behavioral audits of malware consist of executing code and observing its interactions with the computer or server at runtime in order to fully understand the code’s intent. These audits are usually performed by a person within a virtual or sandboxed environment. These environments shield the person performing the audit from any potential harm the malware may cause while allowing them to see the effects of the code being ran.

These detection methods are tried and true approaches to discovering and classifying malware. Each of these methods are used in combination to understand newly discovered malware and pinpoint attack trends. Web security professionals are then able to devise the best ways to protect against these attacks.

At SiteLock, we primarily use anti-malware signatures to identify and remove malware automatically from the websites we protect. We manually perform heuristic and behavioral audits to ensure our signatures are accurate and that they do not remove legitimate code.

So where do we go from here? With these three ways of identifying malware, we are safe… right? Not exactly.

OCSALY