XenoZ
Gold Member | Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору 1. RootkitInstallation: MissingDriverLoad What does it do ? Tries to find a driver entry in the registry that does not have the corresponding file on the disk and puts itself as the missing file. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges. 2. RootkitInstallation: LoadAndCallImage What does it do ? Tries to use a device driver loading API, that is commonly, almost always, used by rootkit developers. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges. 3. RootkitInstallation: DriverSupersede What does it do ? Tries to overwrite an already existing driver on the disk and load itself as a device driver. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges. 4. RootkitInstallation: ChangeDrvPath What does it do ? Tries to change the path of an already existing driver by using service control manager. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges 5. Invasion: Runner What does it do ? Tries to modify the default browser on the disk and connect to the internet. What is the risk ? This is a common infection method that can evade firewalls that do not check the integrity of the applications. 6. Invasion: RawDisk What does it do ? Tries to access the disk directly and modify its contents. What is the risk ? This is a common infection method that could open many holes including boot sector infection and device driver loading. 7. Invasion: PhysicalMemory What does it do ? Tries to access the physical memory directly and modify its contents. What is the risk ? Accessing the physical memory directly creates many security holes by bypassing standard protection enforced by the operating system. 8. Invasion: FileDrop What does it do ? Tries to drop itself to system32 directory. What is the risk ? If the virus can drop itself into the system32 folder, it can easily infect one of the critical files in it too. 9. Invasion: DebugControl What does it do ? Tries to access the physical memory directly and modify its contents. What is the risk ? Accessing the physical memory directly creates many security holes by bypassing standard protection enforced by the operating system. 10. Injection: SetWinEventHook What does it do ? Tries to inject the malicious DLL using a windows accessibility API, SetWineventHook. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 11. Injection: SetWindowsHookEx What does it do ? Tries to inject the malicious DLL using a common windows API, SetWindowsHookEx. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 12. Injection: SetThreadContext What does it do ? Tries to inject the malicious DLL by using a slightly different method from ProcessInject. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 13. Injection: Services What does it do ? Tries to modify “Services” key in registry in order to have itself launched as a service. What is the risk ? The malware is going to have itself automatically started with windows. The key can be used to install a rootkit or boot driver that can be used to takeover the operating system. 14. Injection: ProcessInject What does it do ? Tries to inject the malicious DLL using one of the most common methods malware writers use. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 15. Injection: KnownDlls What does it do ? Being one of the most difficult to detect infection technique, it tries to modify an operating system object in memory to make itself loaded into the trusted processes. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 16. Injection: DupHandles What does it do ? Tries to access the memory of another process by stealing the handles from a trusted process which already has it. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 17. Injection: CreateRemoteThread What does it do ? Tries to inject the malicious DLL by using a slightly different method from ProcessInject. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 18. Injection: APC dll injection What does it do ? Tries to inject the malicious DLL by using a slightly different method from ProcessInject. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process 19. Injection: AdvancedProcessTermination What does it do ? Tries to terminate a process by using debugging APIs. What is the risk ? A process can be terminated in an unexpected manner. 20. InfoSend: ICMP Test What does it do ? Tries send the information to the Internet by ICMP protocol. What is the risk ? If a firewall does not filter ICMP protocol, it can miss the Trojans that transmit data using ICMP protocol. 21. InfoSend: DNS Test What does it do ? Tries send the information to the Internet by using Windows DNS APIs. What is the risk ? Windows DNS APIs use trusted processes to make DNS queries causing firewalls to miss the actual process behind these requests. 22. Impersonation: OLE automation What does it do ? Tries to start MS Internet Explorer then attempts to control this instance using OLE automation to transfer information to the Internet server. What is the risk ? Firewalls can be bypassed and malicious files can be downloaded 23. Impersonation: ExplorerAsParent What does it do ? Tries use explorer.exe to connect to the Internet. What is the risk ? Firewalls may miss the real applications behind the internet connection requests. 24. Impersonation: DDE What does it do ? Tries to use Direct Data Exchange (DDE) to control IE's behavior and transfer data to the Internet server What is the risk ? Firewalls can be bypassed and malicious files can be downloaded from the trusted browser process. 25. Impersonation: Coat What does it do ? Tries use rename itself as the default browser in memory and connect to the Internet. What is the risk ? Firewalls may think the actual process behind the Internet connection request is the trusted browser. 26. Impersonation: BITS What does it do ? Tries use Windows Background Intelligent Transfer(BITS) service to connect to the Internet. What is the risk ? Firewalls can be bypassed and malicious files can be downloaded by using the trusted windows services. 27. Hijacking: WinlogonNotify What does it do ? Tries to modify “WinlogonNotify” key in registry in order to have itself launched with the logon process. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. This key is also used to inject a DLL into the trusted operating system processes. 28. Hijacking: Userinit What does it do ? Tries to modify “Userinit” key in registry in order to take the place of userinit.exe, the process responsible for initialization of the user data after the logon. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for, increases the chance of malware survival. 29. Hijacking: UIHost What does it do ? Tries to modify “UIHost” key in registry in order to take the place of logonui.exe, the process executed before the logon. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for, increases the chance of malware survival. 30. Hijacking: SupersedeServiceDll What does it do ? Tries to modify “ServiceDll” key in registry in order to have itself launched with the trusted operating system process svchost.exe. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. This key is also used to inject a DLL into the trusted operating system processes. 31. Hijacking: StartupPrograms What does it do ? Tries to modify “StartupPrograms” key in registry in order to have itself launched when the windows starts. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. 32. Hijacking: ChangeDebuggerPath What does it do ? Tries to modify “Debugger” key in registry in order to have itself launched when a program crashes. What is the risk ? The malware is going to have itself automatically started every time a program crashes. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. This key is also used to inject a DLL into the trusted processes. 33. Hijacking: AppinitDlls What does it do ? Tries to modify “AppInitDlls” key in registry in order to have itself injected into every process. What is the risk ? The malware is going to have itself automatically started every time a program starts. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. This key is also used to inject a DLL into the trusted processes 34. Hijacking: ActiveDesktop What does it do ? Tries to change the windows active desktop wallpaper. What is the risk ? An embedded HTML file can allow transmitting the data by using the trusted process explorer.exe and can be used to steal confidential information. |