Evasion through Injection: malware payload mechanism

For a long time now, malware has been using process injection as part of its infection or payload mechanisms. There are various reasons why the bad guys use process injection in their malware, including:

  • attempting to evade client firewalls (for example, injection of downloading code into processes that will already be trusted through the firewall)
  • hiding activity (making it harder for the user to notice, and therefore remove, a rogue process)

There are various ways of injecting code into other processes. In this post, I will share just a couple of the common methods we see malware use.

Perhaps the crudest method is for a malicious process to write a complete copy of itself into the memory space of the target process, and then run that code. Many downloader Trojans use this technique, as a way of attempting to bypass client firewalls.

A piece of malware analysed in the lab last week demonstrates this technique perfectly. When run, Troj/Agent-FVU does the following:

1. Create the host process, in this case launching a new instance of svchost.exe (the legitimate system process).

[Create svchost.exe process]

2. Allocate a block of memory within the address space of this new svchost.exe process. In this example the VirtualAllocEx() API was used.

[Allocate memory]

3. Perform the memory write, writing the malicious code (copy of the Trojan, file size 22000h) into the virtual address space of svchost.exe

[Perform memory write]

Looking at the virtual address space within svchost.exe we can see copy of the malicious file written to memory (at 0x400000h):

[Dump of memory]

4. Run the malicious code. There are several ways to achieve this. Most commonly CreateRemoteThread() or ResumeThread() constructs are used.

[Run malicious code]

Several other pieces of malware use a slightly less blatant approach, achieving process injection in a more subtle way. The next example shows a technique that is frequently used by malware whose payload is delivered by a dropped malicious library (DLL). The Troj/Sers-Gen family demonstrate this method perfectly:

1. Drop DLL to disk (in this case %sysdir%\audiovbb.dll)

2. Enumerate processes, looking for target process (in this case explorer.exe)

[Enumerate processes]

3. Allocate a block of memory within the address space of the target process and perform the memory write. Instead of writing code to be executed into the target process, just the path to the dropped DLL is written.

[Perform memory write]

4. We can see the written data when we inspect the relevant address.

[Dump memory]

5. Finally, to run the malicious code (in this case, load the malicious library). Here, CreateRemoteThread() is used in order to load the malicious library via LoadLibrary().

[Run malicious code]

Of course, there are several other techniques used by malware to run malicious code within other processes. This is one area where deployment of a quality client firewall can help. Aside from the regular firewalling of network traffic, several products, including the Sophos Client Firewall, actively block many of the process injection techniques used by malware.