Saturday, 12 January 2013

Common Windows API used by Malware

Windows Malware often interacts with the Windows Operating System's API in order to perform various functionality. Identifying the API functions used by the malware can give insights on the capabilities of the malware, identify locations in binaries for deeper static and dynamic analysis of those capabilities and on the whole aid in identifying host and network based indicators. Here's a look at some of the Windows API commonly used by malware.

File System Functions
CreateFile - used to create and open files, pipes, streams and I/O devices.
ReadFile - used for reading files.
WriteFile - used for writing to files.
CreateFileMapping - loads a file from disk into memory.
MapViewOfFile - returns a pointer to the base address of the mapping of a file in memory.
File System Host Based Indicators
Files/Folders - that are created, accessed, deleted and/or modified by malware.
Shared files - for example, \\<server_name>\\<share_name> or \\?\\<server_name>\<share_name>.
Files accessible via Windows NT namespaces - for example, using the \\.\ prefix to access physical devices directly.
Alternate Data Streams - additional data to be added to an existing file within NTFS.

Registry Functions
RegOpenKeyEx - opens a registry key for editing/querying.
RegSetValueEx - creates a new value in the registry and sets its value.
RegGetValue - gets the data for a registry key's value.
Registry Host Based Indicators
Registry Keys - that are created, accessed, deleted and/or modified by malware.
Registry Keys that enable persistence

Networking Functions 
WSAStartup - must be called before any other networking function can be called. Allocates resources for the networking libraries.
WSAGetLastError - returns the error status for the last Winsock operation that failed.
(Winsock API)
Socket - creates a socket.
Bind - attaches a socket to a particular port, prior to the accept call.
Listen - socket will be listening for incoming connections.
Accept - opens a connection to a remote socket and accepts the connection.
Connect - opens a connection to a remote socket; the remote socket must be waiting for the connection.
Recv - receives data from the remote socket.
Send - sends data to the remote socket.
(Wininet API)
InternetOpen - initializes a connection with the internet.
InternetOpenUrl - connect to a URL via HTTP or FTP.
InternetReadFile - reads data from a file downloaded from the internet.
Network Based Indicators
IP Addresses - for remote access.
Heuristics of communication patterns - an example of this is how malware communicates with the outside world, what would the handshake be? Is there an exchange of keys? What form of encoding/encryption is used? Etc.
Heuristics of propagation patterns - an example of this would be how malware remotely propagates itself, does it extract contact information from the existing target and sends out social engineering emails? Etc.
Client/Server Port - that the malware is listening on.
Dynamic DNS Names - for remote access.

Process & Thread Manipulation Functions 
CreateProcess - create a new process.
CreateThread - creates a new thread.
LoadLibrary - loads a specified module into the address space of the calling process. The specified module may cause other modules to be loaded.
Process & Thread Host Based Indicators
Process and Threads - that are created by malware.
Injection of malicious dlls into existing processes.

Mutex Manipulation Functions 
CreateMutex - creates a mutex.
OpenMutex - enables a process to gain a handle on another process' mutex.
ReleaseMutex - releases access to a mutex.WaitForSingleObject - enables a thread to gain access to a mutex. If access to the mutex is currently held by another thread, the calling thread will have to wait.
Mutex Host Based Indicators
Mutex Names - are normally fixed, one example of use is for the malware to be able to check and prevent itself from being installed multiple times on the same client.

Windows Services Manipulation Functions
OpenSCManager - returns a handle to the service control manager.
CreateService - creates a new service and adds it to the service control manager.
StartService - starts a service that is set to start manually.
Services Host Based Indicators
Services - that have been created, started or stopped by malware.

Malware Persistence Without the Windows Registry (Mandiant's M-Unition Blog)
Digital Forensics: Persistence Registry Keys (SANS DFIR Blog)
Using Public DNS Servers to Bypass DNS Filtering (Running The Gauntlet)

Practical Malware Analysis - by Michael Sikorski and Andrew Hoing

No comments:

Post a Comment