Detect target, exit ... and after a certain number of exits, destroy the computer ...
This article will be a starting point, or the basis, for other, eventual articles of intervention in the system.
Imagine that you want to write malware / virus / rootkits. Do you know how to cover? Do you know what the logic of viruses is, and what the crap of the tools to detect a virus?
For every malware, if it is not written by children somewhere at home via "password authentication via $ net user", it is necessary to realize on which computer (computer of whom) the malware is running.
Every creator of malware needs to ensure that the malware may not be known until the last possible moment, while eliminating the possibility of running on a computer belonging to a more proficient user or the tester himself.
So, as I have described many times, new malware, in order to be in a low AV database, must first be captured and sent to that AV company.
Obviously, trying to keep new malware is quite important, especially when created Zoombie Sites.
There is a lot of hiding tactics and the possibility of some elimination, as soon as the infected file is launched.
Today we will describe one part that gives malware a kind of "higher" intelligence, to perform a "certain" action in a given situation.
Let's imagine a slightly more complex malware system. If someone detect an ordinary keylogger, I'll release another.
But what if I have created bootnets ... With 5000 computers, it would be hard on every machine to re-record an undetectable version of the zombies and, as a result, I would lose my computers. Although it is true that over time can not prevent, but how to eliminate all this until the last moment?
Logic of Thinking
We want malware to infect as many computers as possible.
I need malware to first find out how much experienced a person is with a computer, and when is the last moment before revealing when "I can delete myself from getting into AV to disassemble".
---> Before activating, find out what programs are stored on computer - (1)
---> Find out what programs are installed on computer - (2)
|--> If you do not detect unwanted programs on your computer, activate it - (2.1)
|--> If the program detects unwanted programs, perform the operation (xx) - (2.2)
---> Continue running on the background - create threads (3)
---> Observe in one thread what processes are running or are started (4)
--> If an unwanted process is detected on your computer, perform the operation (xx) - (5)
Malware may contains a list of files/installations/parts, used by more experienced users or testers.
Going over the computer and evaluating whether to do a percentage calculation is trivial.
And based on it, malware can decide and perform the operation by calling the function (xx).
At this point (2), for example, malware is deleted, dropped on a targeted computer, deleted HDD, reformats all media, ... countless options ... but, more interesting is point (4), and it detects when malware is already in place.
Malware is running, blocking it for example regedit.exe, taskmgr.exe, etc. . But, what if I run tools like Hijackthis.exe, Combofix.exe, RSIT.exe ??
Ok, malware can block them by default. But ... what if I rename them? ...
And what if I want to block (disable) these utilities, for example, only for 5 times? It means that after the 5th run, we call (xx) - the malware evaluates the situation as critical (someone is trying to dump the running services - it is high time to delete but still destroy the computer) and invokes function XX.
It is clear that it is necessary to master the functioning of the OS as well as the programs themselves at an excellent level.
I will come back to programs like RSIT, HJT, COMBOFIX in another article, but I dedicate the article itself to safety fails of combofix and I really doubt that someone will be excited ...
Now, however, I would like to present the theory described with some practice that I simulated in the video:]]