What is a Malicious App and How to Spot One?
Malicious App Definition. Blacklisting and Whitelisting Apps. Protecting Your Assets against Malicious Apps
We’re all familiar with terms such as “threat-hunting”, “boots on the ground Intelligence” or “DNS traffic filtering.” Going back to one’s roots is always a good idea and today I’ll do just that. This article is dedicated to malicious applications. Indeed, we are going to talk about the malicious app definition, what makes an app malicious, typical behavioural patterns, and how to protect your digital assets against malicious applications. As always, stay safe and enjoy your Friday afternoon read.
Defining Malicious Applications
So, what is a malicious application? According to the paper “The World of Malware: An Overview” a malware is defined as:
“a program code that is hostile and often used to corrupt or misuse a system. Introducing malware into a computer network environment has different effects depending on the design intent of the malware and the network layout. Malware detection and prevention systems are bypassed by malicious files in computer systems as malware becomes more complex and large in numbers”.
Mind you that this definition is not all-encompassing, mostly because it does not factor in pseudo malicious endeavors such as hacktivism. Anyway, from this definition we can infer the following aspects related to malicious apps:
- A malicious app is a software or piece of code designed for nefarious purposes. As practice shows us, these purposes can range from recon (i.e., gathering intel on a designated target to track movement and identify vulnerabilities) to intentionally damage tangible or intangible assets (i.e., pre-attack actions undertaken to weaken cyber-defenses).
- A malicious application has evasion capabilities. As you know, most of the apps we have installed on our endpoints are digitally-signed and are, as we say, out there in the open. Malicious apps use various TTPs (Tactics, Techniques, and Procedures) to evade digital signature enforcement or even to masquerade as legitimate applications. Obfuscation, as it is called in cybersecurity, is an important property of malware. Without it, even the most basic antivirus or firewall, or antimalware solution can detect the malicious app.
- Malicious apps are protean in nature. In the malware world, continuous evolution equals survival. If malware developers (hackers) cannot keep up with all the developments in cybersecurity, their creations become utterly useless.
So, by design, malicious apps are ‘slingshotted’ into the open with the intent of harming, eavesdropping or soften up defenses. Now, the question at hand here is how do we identify malicious applications? Studying their behavior might give us some clues. Let’s take a look at some of them.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Typical Malicious Behavior
Here are some of the most common behavioral patterns of malicious applications.
Any application that is designed to extract credentials through packet sniffing, keylogging, ‘dumpster diving’ or other methods can be considered malicious. Of course, the best defense would be to deploy and use an efficient antimalware solution.
Any type of activity that supersedes normal system processes by introducing malicious binaries or code pieces should be labeled as malicious. The ‘most’ targeted system processes are regsvr32.exe and svchost.exe.
Dynamic-Link Library injection and\or replacement
Any type of action undertaken to externally manipulate a functioning DLL (i.e., writing a path to a DLL found inside an app’s process and then executing malicious code via a remote-controlled thread) is considered malicious behavior. In some cases, the legit DLLs can be swapped with fake (and malicious) processes. This is called DLL replacement.
In some instances, attackers might use the hook injection technique in order to gain access to core memory functions. This technique involves loading and running a piece of malicious code inside the environment of a running program.
It’s not uncommon for a previously removed program to linger in the Windows registry. Of course, these ‘breadcrumbs’ can be successfully cleared with tools such as CCleaner, AVG PC Tune-up Utilities, or CleanMyPC. However, when those bits won’t go away and they start modifying registry keys or values, you might have a malicious app on its hand. Word of caution: do not reboot or shut down your PC if you have a registry ‘worm’. Doing so will only grant the malicious app more rights.
‘Trojanazing’ commonly used system binaries
Although an uncommon malicious technique, it’s deadly efficient and quite hard to detect and root out. The purpose of this action is to compromise commonly used system binaries, effectively turning them into bit-sized trojans. This is achieved through fake patching. Once the fake binaries are loaded and run, they will grant hackers access to key memory areas.
Hijacking the DLL load order
Every time your computer boots, the OS will start looking for DLLs. Why? Because executables love DLLs and DLLs relish on executables. This is done, of course, in a certain order. Here’s the catch: if the path to a specific DLL is not hard coded (i.e., set in stone), a malicious piece of code can be introduced in this search order, which would result in the executable loading it.
Parting thoughts and recommendations
As to the malicious app definition, I would conclude that any piece of software designed to intentionally harm an endpoint or network infrastructure, unlawfully gather data, or conduct covert reconnaissance to identify potential vulnerabilities can be classified as a malicious application. Knowledge is power and, in cybersecurity, knowing what you’re up against makes the difference between a quiet day at the office and working overtime to restore networks and PCs.
Extra protection is always warranted, and a good anti-malware solution will safeguard you against all imaginable types of malware and, of course, the malicious behaviors that I’ve just described. Heimdal™ Security’s Threat Prevention – Endpoint can protect your company’s assets against newfangled TTPs, APTs, botnetting, viruses, worms, trojans, and everything that lurks in the dark corners of the Internet. As always, stay safe, stay frosty, keep an eye on assets, patch your heart out, and take action before it’s too late.