WEBVTT 1 00:00:00.080 --> 00:00:04.480 Imagine this digital parasite so cunning it can live inside 2 00:00:04.480 --> 00:00:09.119 your computer for weeks, just watching silently, making sure it 3 00:00:09.119 --> 00:00:12.039 stays completely hidden. It's kind of chilling, right, it really is. 4 00:00:12.119 --> 00:00:14.800 And what's fascinating, I think is the sheer ingenuity behind 5 00:00:14.839 --> 00:00:17.960 it all. This isn't always about instant damage. Often its stealth, 6 00:00:18.280 --> 00:00:21.239 long term access, you know, outburning right under our noses. 7 00:00:21.280 --> 00:00:25.039 Okay, yeah, let's unpack that. We're diving deep into these well, 8 00:00:25.199 --> 00:00:29.079 really clever tactics malware uses to stay invisible. We've got 9 00:00:29.120 --> 00:00:31.679 some great material here from a technical book that really 10 00:00:31.719 --> 00:00:35.359 breaks down how these things hide, dodge security, and just 11 00:00:36.520 --> 00:00:41.000 generally cause headaches for analysts. Our mission today pull out 12 00:00:41.039 --> 00:00:43.719 the most surprising, the most crucial bits of this whole 13 00:00:43.759 --> 00:00:45.359 digital cloak and dagger scene. 14 00:00:45.439 --> 00:00:48.039 And it's not just theoretical stuff. Understanding this is actually 15 00:00:48.079 --> 00:00:51.159 super valuable for well anyone online, whether you're in security 16 00:00:51.280 --> 00:00:55.119 or just tech curious. Grasping these ideas really shows why 17 00:00:55.159 --> 00:00:58.079 cybersecurity is such a constant battle, why we need innovation. 18 00:00:58.560 --> 00:01:00.960 Absolutely, we're going to cut through the jargon, try to 19 00:01:01.000 --> 00:01:04.560 show you how malware becomes this ultimate digital illusionist, how 20 00:01:04.560 --> 00:01:06.640 it knows if it's in a sandbox, how it confuses 21 00:01:06.680 --> 00:01:09.920 analysis tools, the really sneaky ways it hides what is 22 00:01:10.000 --> 00:01:10.760 actually doing. 23 00:01:10.879 --> 00:01:13.519 Yeah, the technical sophistication is pretty amazing. I mean, these 24 00:01:13.519 --> 00:01:16.560 are clever solutions, even if they are, you know, malicious. 25 00:01:16.640 --> 00:01:19.079 All right, So let's start at square one. How does 26 00:01:19.159 --> 00:01:21.640 malware first get a feel for its environment? Like a 27 00:01:21.680 --> 00:01:28.480 burglar checking if anyone's home, but digitally enumerting OS artifacts. 28 00:01:28.480 --> 00:01:29.560 What's that actually involve? 29 00:01:30.120 --> 00:01:32.040 Well, one of the first things it does is sort 30 00:01:32.040 --> 00:01:35.719 of take stock. It looks at running processes, files, folders, 31 00:01:35.840 --> 00:01:39.680 shared network drives. Like if it sees analysis software running 32 00:01:40.280 --> 00:01:43.280 or just way fewer user files than you'd expect, that's 33 00:01:43.280 --> 00:01:45.439 a red flag, might be a sandbox. The key thing 34 00:01:45.480 --> 00:01:48.200 is the malware authors expect this. They build these checks. 35 00:01:48.000 --> 00:01:50.000 In right, So it's like checking the guest list for 36 00:01:50.480 --> 00:01:53.799 undercover cops. Yeah, and it digs deeper than just files, right. 37 00:01:53.920 --> 00:01:55.959 Something about the Windows registry exactly. 38 00:01:56.359 --> 00:02:00.359 The registry is like the system's central control panel can 39 00:02:00.400 --> 00:02:04.319 look for specific keys, specific entries that are known markers 40 00:02:04.319 --> 00:02:07.719 for vms like VirtualBox or VMware. It might search for 41 00:02:07.799 --> 00:02:11.360 keys with names like vbox or VMware. It's like looking 42 00:02:11.360 --> 00:02:14.639 for manufacturer labels on the furniture gives the game away. 43 00:02:14.919 --> 00:02:19.919 H a digital fingerprint scanner for vms. And what about 44 00:02:19.919 --> 00:02:21.479 pipes not the plumbing kind? 45 00:02:21.520 --> 00:02:25.479 I guess yeah No. In Windows, pipes are communication channels 46 00:02:25.479 --> 00:02:29.360 between programs. Vms often set up unique ones. Malware can 47 00:02:29.400 --> 00:02:32.039 look for these specific pipe names. Like there's a tool 48 00:02:32.159 --> 00:02:34.800 pipe list. It can spot one called v goth service. 49 00:02:34.840 --> 00:02:37.400 That's VMware. So if the malware finds that pipe that 50 00:02:37.479 --> 00:02:39.759 specific channel, pretty good sign it's in VMware. 51 00:02:39.800 --> 00:02:42.000 That's clever, like a secret knock. Only the VM no 52 00:02:42.479 --> 00:02:44.719 be shared folder. I use those constantly between my VM 53 00:02:44.719 --> 00:02:45.599 and my main machine. 54 00:02:45.719 --> 00:02:47.639 Yeah, and a malware knows people do that. It can 55 00:02:47.719 --> 00:02:51.280 use a function a w netget provider name basically asks 56 00:02:51.319 --> 00:02:54.840 the system any shared drives connected. Since VM shared folders 57 00:02:54.879 --> 00:02:57.919 act like network connections, finding them is another clue it's 58 00:02:57.919 --> 00:02:59.439 not on a regular user's machine. 59 00:02:59.520 --> 00:03:02.560 Okay, So just by checking the basic layout, malware gets 60 00:03:02.560 --> 00:03:04.879 a decent idea if it's being watched. But it gets smarter, 61 00:03:05.039 --> 00:03:07.039 right looking for signs of a real. 62 00:03:06.879 --> 00:03:09.919 Human That's right. A huge difference between a real PC 63 00:03:10.159 --> 00:03:13.599 and an analysis box is well actual human activity or 64 00:03:13.840 --> 00:03:17.719 lack thereof. So malware looks for browser cookies, cache web data, 65 00:03:17.840 --> 00:03:21.879 browsing history. A system that's too clean, two pristine that 66 00:03:22.039 --> 00:03:25.240 screams sandbox like an empty house. 67 00:03:25.360 --> 00:03:28.439 Makes total sense my browser history alone. Yeah, yeah? What else? 68 00:03:28.520 --> 00:03:30.960 How else do they check for actual user interaction? 69 00:03:31.159 --> 00:03:34.240 They can count open windows. There's a function ENOM Windows. 70 00:03:34.360 --> 00:03:38.039 A typical user dozens, maybe hundreds of windows open applications 71 00:03:38.080 --> 00:03:40.199 running a sandbox might just have a few. I saw 72 00:03:40.240 --> 00:03:42.879 an example like ninety seven windows on a real system 73 00:03:43.000 --> 00:03:45.800 versus maybe you know, ten in a sandbox. It's using 74 00:03:45.879 --> 00:03:49.759 these normal system things as indicators real user versus automated analysis. 75 00:03:49.800 --> 00:03:52.680 Wow, ninety seven versus ten. That's a stark difference, like 76 00:03:52.759 --> 00:03:55.039 checking how many pairs of shoeser by the door. And 77 00:03:55.080 --> 00:03:56.960 they can look for specific apps running. 78 00:03:56.680 --> 00:04:01.560 Too precisely using ENOM Windows again, or find window. They 79 00:04:01.639 --> 00:04:05.360 look for common stuff like Microsoft Office email clients, things 80 00:04:05.479 --> 00:04:09.159 are real user would probably have open. And conversely they 81 00:04:09.159 --> 00:04:13.080 look for analysis tools Procmond, Fiddler, wire shark. If those 82 00:04:13.080 --> 00:04:15.680 windows are open, malware knows it's under the microscope. 83 00:04:15.759 --> 00:04:17.519 It's a digital game of hide and seek. But yeah, 84 00:04:17.519 --> 00:04:20.879 the stakes are way higher. Okay, what about connectivity? Does 85 00:04:20.879 --> 00:04:23.040 it check if it can phone home absolutely. 86 00:04:23.480 --> 00:04:27.319 Network awareness is key for sandbox evasion. One trick is 87 00:04:27.399 --> 00:04:31.040 checking the IP address. Some IP ranges like one ninety 88 00:04:31.040 --> 00:04:33.360 two point one six eight point five to six dot 89 00:04:33.560 --> 00:04:36.959 x are defaults for vms like virtual box. It can 90 00:04:37.040 --> 00:04:38.879 use get adapter as r usses to look for those, 91 00:04:38.920 --> 00:04:40.040 like checking the area code. 92 00:04:40.120 --> 00:04:42.439 Right, and I've definitely heard about malware trying to ping 93 00:04:42.560 --> 00:04:45.199 Google or something. How do they check general Internet access? 94 00:04:45.279 --> 00:04:48.360 Yeah? Common method send a DNS request that's the Internet's 95 00:04:48.439 --> 00:04:51.399 phone book basically, or an HTTP web request maybe to 96 00:04:51.439 --> 00:04:53.759 Google dot com like you said. Then it checks if 97 00:04:53.800 --> 00:04:56.000 it gets a real response back, no response or a 98 00:04:56.000 --> 00:04:59.120 weird one could mean it's in an isolated sandbox, no 99 00:04:59.199 --> 00:04:59.639 way out. 100 00:05:00.079 --> 00:05:02.279 So if it can't reach Google, it knows something's fishy. 101 00:05:02.680 --> 00:05:05.000 What about existing connections? Can it learn from. 102 00:05:04.839 --> 00:05:09.720 Those it can? Malware can list outgoing TCP connections using 103 00:05:09.759 --> 00:05:13.720 get TGP table. TCP is fundamental for Internet traffic. A 104 00:05:13.800 --> 00:05:17.680 real user's machine usually lots of connections to all sorts 105 00:05:17.680 --> 00:05:21.639 of places. A standbox, especially an isolated one, maybe very 106 00:05:21.680 --> 00:05:24.959 few or none. That lack of normal network chatter is 107 00:05:24.959 --> 00:05:28.360 another big clue. The point is it's actively probing using 108 00:05:28.399 --> 00:05:30.120 all these system signs okay. 109 00:05:29.839 --> 00:05:32.279 So the malware has done its checks, it thinks it 110 00:05:32.360 --> 00:05:36.319 might be watched. What's next? It doesn't just give up, surely. 111 00:05:36.120 --> 00:05:38.879 No way. That's where anti analysis kicks in. The goal 112 00:05:38.959 --> 00:05:41.720 now is to make the malwur's code incredibly difficult to 113 00:05:41.800 --> 00:05:45.160 understand for researchers, for automated tools, for anyone. It's like 114 00:05:45.240 --> 00:05:48.600 putting on a digital disguise, scrambling the blueprints. 115 00:05:48.240 --> 00:05:50.399 Right, scrambling the instructions so no one can figure out 116 00:05:50.399 --> 00:05:52.399 the plan. What are some basic ways they mess with 117 00:05:52.399 --> 00:05:53.079 the code itself? 118 00:05:53.120 --> 00:05:56.519 Well, a simple one is just inserting junk code, not constructions, 119 00:05:56.560 --> 00:05:58.920 things that do absolutely nothing, just clutters up the view 120 00:05:58.959 --> 00:06:02.720 for an analyst. Then there's control flow obfuscation that's making 121 00:06:02.720 --> 00:06:07.199 the code's execution path deliberately complex, twists, turns, dead ends, 122 00:06:07.639 --> 00:06:09.759 like adding fake roads to a map. 123 00:06:09.839 --> 00:06:13.240 Just adding detours to confuse anyone following. I also write 124 00:06:13.240 --> 00:06:16.720 about jump tables and indirect calls. Sounds more advanced. 125 00:06:16.800 --> 00:06:20.279 It is, instead of calling a function directly, malware might 126 00:06:20.360 --> 00:06:23.040 use a jump table basically a list of addresses. It 127 00:06:23.120 --> 00:06:24.800 jumps to an entry in the table to get to 128 00:06:24.800 --> 00:06:28.000 the real function. Indirect calls often using get proke address 129 00:06:28.079 --> 00:06:30.959 load library A hide things further, they look up function 130 00:06:31.040 --> 00:06:34.279 addresses at runtime. Sometimes they even use hashed function names 131 00:06:34.800 --> 00:06:37.920 like ro R thirteen hashing. There are tools like an 132 00:06:37.920 --> 00:06:40.920 Ida plug in ap hashes to help analyst decode these. 133 00:06:41.199 --> 00:06:43.279 It's like using a coded message instead. 134 00:06:42.959 --> 00:06:45.519 Of a direct phone number, instead of call function X. 135 00:06:45.560 --> 00:06:48.759 It's like, go here, then do whatever's hiding there. Definitely 136 00:06:48.800 --> 00:06:51.560 harder to follow. What about when someone actually tries to 137 00:06:51.600 --> 00:06:53.560 debug it? Run it step by step? 138 00:06:53.680 --> 00:06:57.639 Oh yeah, debugging interference, that's a whole category. The simplest 139 00:06:57.720 --> 00:07:00.639 is just checking if a debugger is attached, functions like 140 00:07:00.759 --> 00:07:04.920 is debugger present, check remote debugger present. More advanced ways 141 00:07:05.000 --> 00:07:09.000 use nquery information process. That's a powerful function. You can 142 00:07:09.040 --> 00:07:11.399 ask the OS directly, is there a debug port open 143 00:07:11.800 --> 00:07:15.120 our debug flag set? Is a debug object attached. It's 144 00:07:15.160 --> 00:07:18.079 like the malware constantly peeking over its shoulder, checking for 145 00:07:18.120 --> 00:07:19.319 that magnifying glass. 146 00:07:19.560 --> 00:07:22.639 And kernel debuggers for really low level stuff. Yep. 147 00:07:22.680 --> 00:07:25.560 They can try to detect those two using another function 148 00:07:25.839 --> 00:07:29.399 end query system information and a specific data structure system. 149 00:07:29.519 --> 00:07:33.360 Kernel debugger information checks if the kernel debugger is enabled. 150 00:07:33.600 --> 00:07:36.639 That's deep anti analysis, trying to avoid even the most 151 00:07:36.720 --> 00:07:37.800 thorough investigation. 152 00:07:38.199 --> 00:07:41.319 Wow, digging right into the system's core. What about breakpoints? 153 00:07:41.680 --> 00:07:44.519 Analysts need those to pause the code. Can malware spot them? 154 00:07:44.639 --> 00:07:47.959 They sure try. They can check memory attributes using functions 155 00:07:48.000 --> 00:07:51.920 like read process memory, virtual query, looking for weird memory 156 00:07:51.959 --> 00:07:55.720 protections like paygeno access or page guard. Those are signs 157 00:07:55.720 --> 00:07:57.800 of debugger might have set a break point. They can 158 00:07:57.839 --> 00:08:01.279 also try to bypass software breakpoints one inserted into the code, 159 00:08:01.519 --> 00:08:04.399 and even detect and remove hardware breakpoints set by the 160 00:08:04.439 --> 00:08:07.920 CPU itself using functions like set thread context. It's a 161 00:08:07.959 --> 00:08:09.319 constant cat and mouse game. 162 00:08:09.439 --> 00:08:12.279 It really is an arms race, isn't it. Analysts find 163 00:08:12.319 --> 00:08:14.519 a way, malware finds a way around it. I also 164 00:08:14.519 --> 00:08:16.120 saw something about checksums. 165 00:08:16.399 --> 00:08:19.720 Yes, check sums are section hashing. The malware calculates a 166 00:08:19.720 --> 00:08:23.519 digital fingerprint of its own code, stores it, then, while 167 00:08:23.600 --> 00:08:26.560 running it recalculates it compares them. If they don't match, 168 00:08:26.759 --> 00:08:29.600 maybe an analyst set a breakpoint changed to bite of code. 169 00:08:29.800 --> 00:08:32.000 The malware knows it's been tampered with, it might shut 170 00:08:32.039 --> 00:08:35.799 down or change behavior. It's like its own internal tamper seal. 171 00:08:35.639 --> 00:08:38.879 Its own integrity check if anything's off. It knows Okay, 172 00:08:38.960 --> 00:08:42.200 beyond just making analysis hard, how does malware hide its 173 00:08:42.240 --> 00:08:43.240 actions while running? 174 00:08:43.360 --> 00:08:48.240 That's covert code execution misdirection. One neat trick is using 175 00:08:48.279 --> 00:08:52.639 callback functions. For instance, with enom display monitors, malware gives 176 00:08:52.639 --> 00:08:55.279 this function a pointer to its own malicious code. The 177 00:08:55.320 --> 00:08:58.840 OS calls this code later during normal operations. It executes 178 00:08:58.879 --> 00:09:02.480 an unexpected time in an unexpected place. Harder to spot, 179 00:09:02.759 --> 00:09:05.039 like hiding a secret message in a routine phone call. 180 00:09:05.159 --> 00:09:08.559 Hiding the message and planside almost What about structured exception 181 00:09:08.600 --> 00:09:11.399 handling SECH sounds legitimate? 182 00:09:11.519 --> 00:09:14.799 It is legitimate. sEH is Windows way of handling errors, 183 00:09:15.279 --> 00:09:17.919 but malware abuses it. They can overwrite parts of the 184 00:09:18.000 --> 00:09:20.279 sEH chain the list of air handlers, so when an 185 00:09:20.360 --> 00:09:23.519 error does happen planned or unplanned, control gets redirected to 186 00:09:23.559 --> 00:09:27.080 the malour's code. Analysts can watch for this using debuggers 187 00:09:27.120 --> 00:09:29.519 like by a sixty forty bdree a monitor a specific 188 00:09:29.559 --> 00:09:32.039 spot in memory FS point zero. It's like turning an 189 00:09:32.080 --> 00:09:33.720 emergency exit into a secret. 190 00:09:33.559 --> 00:09:36.919 Entrance, turning air handling into a back door. That's devious. Okay, 191 00:09:36.919 --> 00:09:41.000 we've covered avoiding detection, avoiding analysis. What about actually bypassing defenses? 192 00:09:41.039 --> 00:09:43.200 And you know, staying on a system persist. Right. 193 00:09:43.240 --> 00:09:46.799 That brings us to defense evasion and persistence. Process injection 194 00:09:46.919 --> 00:09:50.480 is a big one. Running malicious code inside another legitimate 195 00:09:50.639 --> 00:09:54.639 process the key idea. By hiding inside something trusted like 196 00:09:54.759 --> 00:09:59.360 explored ex the bad activity is less likely to trigger alarms, 197 00:09:59.399 --> 00:09:59.759 like a. 198 00:09:59.679 --> 00:10:02.960 Stoke away on a legitimate ship. How's that work? Technically? 199 00:10:03.039 --> 00:10:05.679 The basic steps get a handle a reference to the 200 00:10:05.720 --> 00:10:10.039 target process. Open process, maybe end to open process. Then 201 00:10:10.159 --> 00:10:13.039 write the malicious code into that process's memory space using 202 00:10:13.120 --> 00:10:16.679 right process memory. Finally, force the target process to run 203 00:10:16.679 --> 00:10:19.919 that code. Create a remote thread NT, create thread x RTL, 204 00:10:19.960 --> 00:10:23.000 create user thread. Like slipping your own instructions into someone 205 00:10:23.000 --> 00:10:24.200 else's workflow. 206 00:10:23.840 --> 00:10:26.279 Sneaking code into another app's work space and making it 207 00:10:26.360 --> 00:10:30.399 run it. I also heard about process hollowing. Run PE sounds. 208 00:10:30.240 --> 00:10:34.759 Different, It is and more complex. You start a legitimate process, 209 00:10:34.840 --> 00:10:38.639 say Calculator dot exx, but in a suspended state paused. 210 00:10:39.080 --> 00:10:42.039 Then the malware on maps clears out the legitimate code 211 00:10:42.039 --> 00:10:45.279 from memory, replaces it with its own malicious code, then 212 00:10:45.440 --> 00:10:47.879 resumes the process. So from the outside it just looks 213 00:10:47.879 --> 00:10:51.200 like Calculator running, but it's actually the malware like swapping 214 00:10:51.240 --> 00:10:53.080 the crew for pirates while the ship's still dot. 215 00:10:53.240 --> 00:10:56.440 It's even sneak here, replacing the crew before it even sails. 216 00:10:56.919 --> 00:11:00.519 And process doppelganging. That sounds wild, it's pre k h Yeah. 217 00:11:01.159 --> 00:11:04.399 Uses NTFS transactions, that's the Windows file System's feature for 218 00:11:04.480 --> 00:11:08.960 temporary isolated changes. Malware starts a transaction, writes its malicious 219 00:11:08.960 --> 00:11:11.360 code to look like a legitimate file. Within that transaction, 220 00:11:11.799 --> 00:11:14.840 creates a process from that modified file. Then, crucially, it 221 00:11:14.919 --> 00:11:17.519 rolls back the transaction poof the file on disc goes 222 00:11:17.559 --> 00:11:20.240 back to normal Security scans the disc later, the malicious 223 00:11:20.240 --> 00:11:23.440 file isn't there anymore, leaves minimal traces on the filesystem itself. 224 00:11:23.720 --> 00:11:27.279 Very slick, wow, a digital vanishing act. And hooking. We 225 00:11:27.399 --> 00:11:30.159 mentioned that with the buggers, but it seems broader it is. 226 00:11:30.519 --> 00:11:34.879 Hooking means intercepting function calls in user mode set. Windows 227 00:11:34.879 --> 00:11:38.159 hookx is often used. Malware can use this to monitor 228 00:11:38.279 --> 00:11:41.919 or even change what other applications ares itself for doing, 229 00:11:42.240 --> 00:11:45.039 maybe to hide its own actions or steal data. It's 230 00:11:45.039 --> 00:11:48.519 like putting a wiretap on legitimate system calls, listening in, 231 00:11:48.799 --> 00:11:49.639 maybe changing. 232 00:11:49.480 --> 00:11:53.000 The message wiretapping system functions. Okay, what about hitting the 233 00:11:53.039 --> 00:11:56.799 actual security software antivirus EVR. 234 00:11:57.279 --> 00:11:59.639 Several tactics there. One is just trying to kill the 235 00:11:59.679 --> 00:12:03.639 secure processes or services directly, though that usually needs admin rights. 236 00:12:04.000 --> 00:12:07.000 They might also mess with registry settings for security products 237 00:12:07.039 --> 00:12:09.360 or even try to uninstall them. It's a direct. 238 00:12:09.039 --> 00:12:12.080 Assault, attacking the guards themselves. Yeah, and user count control 239 00:12:12.080 --> 00:12:14.879 bypasses getting around those, are you sure prompts? 240 00:12:15.200 --> 00:12:18.440 Yeah? UAC bypasses aim to run with admin rights without 241 00:12:18.440 --> 00:12:22.720 triggering that prompt. One way is abusing auto elevated Windows utilities, 242 00:12:22.919 --> 00:12:26.600 things like MSConfig dot ex, the system configuration tool. It 243 00:12:26.679 --> 00:12:30.080 runs elevated without a prompt. Malware might launch command prompt 244 00:12:30.080 --> 00:12:35.399 from MSConfig Sneaky DLL hijacking is another, placing a malicious 245 00:12:35.440 --> 00:12:38.840 DLL where a legit app expects to find one. Also 246 00:12:39.080 --> 00:12:41.840 trying to get seat a bug privilege. That's a powerful 247 00:12:41.879 --> 00:12:44.480 permission that can be misused to mess with other processes 248 00:12:44.519 --> 00:12:45.519 and get around UAC. 249 00:12:45.799 --> 00:12:48.720 So tricking trusted tools are just grabbing the master keys. 250 00:12:49.120 --> 00:12:51.960 What about network defenses firewalls? 251 00:12:52.080 --> 00:12:55.159 DNS tunneling is one way hiding commanding control traffic inside 252 00:12:55.200 --> 00:12:59.080 what looks like normal DNS lookups, Domain generation algorithms DGAs. 253 00:12:59.200 --> 00:13:02.080 The malware creates tons of potential C two server addresses, 254 00:13:02.120 --> 00:13:05.559 dynamically harder for defenders to block them all, and multi 255 00:13:05.559 --> 00:13:08.840 stage attacks. A malicious document leads to a script, leads 256 00:13:08.879 --> 00:13:11.759 to a loader, leads to the final payload. Each stage 257 00:13:11.840 --> 00:13:14.240 might look less suspicious on its own. Playing cat and 258 00:13:14.279 --> 00:13:15.639 mouse with the network sensor. 259 00:13:15.399 --> 00:13:18.360 Black them all with their servers and kernel modules drivers. 260 00:13:18.360 --> 00:13:19.279 That sounds really deep. 261 00:13:19.519 --> 00:13:23.720 It is sophisticated stuff BYOVD. Bring your own vulnerable driver. 262 00:13:23.960 --> 00:13:27.639 They use legitimate, often signed drivers that have known security holes. 263 00:13:28.200 --> 00:13:31.440 Because the driver is signed, the OS trusts it. Malware 264 00:13:31.480 --> 00:13:34.320 exploits the vulnerability and the driver to interact with the kernel, 265 00:13:34.399 --> 00:13:37.840 maybe disabled security load, unsigned code. We saw Hermetic Wiper 266 00:13:37.919 --> 00:13:40.279 use an easy US driver. Zero Clear used a virtual 267 00:13:40.360 --> 00:13:44.200 box driver. Even trusted components can be turned into weapons. 268 00:13:43.840 --> 00:13:45.840 Like using a trusted delivery service to drop off a 269 00:13:45.879 --> 00:13:50.320 bomb and then it hits the ninja's right. Deep system compromise. 270 00:13:50.480 --> 00:13:53.919 That's the goal, deepest level of control and hiding dk 271 00:13:54.080 --> 00:13:58.679 web direct kernel object manipulation, directly messing with kernel data fructures, 272 00:13:59.000 --> 00:14:03.000 kernel hooking, intercepting core kernel functions like n tread file, 273 00:14:03.279 --> 00:14:09.240 controlling fundamental operations IRP hooking, manipulating iorequest packets to high activity, 274 00:14:09.480 --> 00:14:12.360 abusing kernel callbacks to get notified of system events and 275 00:14:12.360 --> 00:14:16.039 control them. And bootkits UAFI bootkits like Cosmic strand they 276 00:14:16.039 --> 00:14:18.879 infect the system firmware, the code that runs before Windows 277 00:14:18.879 --> 00:14:22.519 even starts. Ultimate persistence, like building a secret base in 278 00:14:22.559 --> 00:14:23.840 the building's foundation. 279 00:14:23.759 --> 00:14:26.960 Saving up shop in the US foundations. Oh okay. Lastly, 280 00:14:27.600 --> 00:14:31.440 file is malware. No file to scan, sounds incredibly hard 281 00:14:31.440 --> 00:14:32.159 to find. 282 00:14:32.279 --> 00:14:35.840 It is operates mainly in memory, maybe the registry minimal 283 00:14:35.879 --> 00:14:38.480 disc footprint. They often use loo elbans living off the 284 00:14:38.559 --> 00:14:43.000 land binaries, legitimate Windows tools like certitil dot ex, PowerShell 285 00:14:43.120 --> 00:14:46.159 dot ex using the system's own tools against it to 286 00:14:46.200 --> 00:14:49.919 download or routten code. System binary proxy execution helps bypass 287 00:14:49.919 --> 00:14:54.039 application whitelisting using things like REGZVR thirty two, dot ex, 288 00:14:54.360 --> 00:14:58.639 Rundel thirty two dot ex plus anti forensics, hiding files, 289 00:14:58.720 --> 00:15:02.919 corrupting logs, clearing event logs, and steganography, hiding data inside 290 00:15:02.919 --> 00:15:05.360 images or other files, trying to be ghosts in the machine. 291 00:15:05.399 --> 00:15:07.879 Ghosts in the machine exactly. Okay, so you've seen how 292 00:15:07.919 --> 00:15:10.200 they hide, how they evade, but the actual payload the 293 00:15:10.200 --> 00:15:11.840 harmful code itself that needs hiding. 294 00:15:11.879 --> 00:15:15.879 Two. Absolutely, that's where encoding encryption packing come in. Encoding 295 00:15:15.919 --> 00:15:18.440 is simpler, just changing the data format like BASICT four. 296 00:15:18.519 --> 00:15:20.440 Sometimes they use a tweaked character set to make it 297 00:15:20.480 --> 00:15:24.799 slightly harder. XR encoding is common to simple bitwise operation 298 00:15:24.919 --> 00:15:26.879 with a key. Like a basic cipher needs the. 299 00:15:26.840 --> 00:15:29.960 Key to unlock the simple cipher. Encryption sounds much tougher. 300 00:15:29.759 --> 00:15:33.919 Though it is uses strong math algorithms, symmetric same key 301 00:15:33.919 --> 00:15:39.320 in cryptocrypt, asymmetric different keys. Malware often uses windowsone crypto libraries, 302 00:15:39.480 --> 00:15:43.679 crypto API, or CNG finding the routines, identifying the algorithm, 303 00:15:43.960 --> 00:15:46.879 maybe watching memory in a debugger to see the decryptid data. 304 00:15:46.919 --> 00:15:49.320 That's how analysts tackle it. It's like a strong box, 305 00:15:49.360 --> 00:15:50.639 needing a specific. 306 00:15:50.240 --> 00:15:54.600 Key, cracking a serious code, and finally packing. I hear 307 00:15:54.639 --> 00:15:56.240 about pack malware constantly. 308 00:15:56.480 --> 00:16:00.440 Right packing compresses or encrypts the entire malware executable main 309 00:16:00.480 --> 00:16:05.120 goals evade av detection, obstruct analysis. Packed files often have 310 00:16:05.320 --> 00:16:08.159 very few imports visible initially, maybe just low library, a 311 00:16:08.399 --> 00:16:11.799 get proke address, and few readable strings. There's a small 312 00:16:11.799 --> 00:16:14.679 stub program that does the unpacking and memory at runtime 313 00:16:14.879 --> 00:16:17.799 can be single stage or multi stage. Analysts use tools 314 00:16:17.840 --> 00:16:21.080 p Studio, Scilla plus dynamic debugging, set break points on 315 00:16:21.120 --> 00:16:24.679 memory allocation functions, watch for executable memory regions, find the 316 00:16:24.759 --> 00:16:27.200 jump back to the real code. It's like peeling laters 317 00:16:27.240 --> 00:16:30.440 off a disguised package to find the dangerous thing inside. 318 00:16:30.240 --> 00:16:34.720 Peeling the onion to find the rotten core. Wow. This 319 00:16:34.799 --> 00:16:38.840 has been well fascinating and maybe a bit unsettling seeing 320 00:16:38.840 --> 00:16:41.799 how ingenious malware is at hiding. It's just this constant 321 00:16:41.799 --> 00:16:44.759 back and forth, isn't it attackers and defenders always innovating. 322 00:16:44.759 --> 00:16:49.200 It absolutely is. The range of techniques, the sophistication. It 323 00:16:49.320 --> 00:16:52.919 highlights the creativity of attackers yet but also the huge 324 00:16:53.039 --> 00:16:55.159 challenge defenders face trying to keep up. 325 00:16:55.320 --> 00:16:57.799 For you listening, really think about what this means for 326 00:16:57.960 --> 00:17:01.720 your own security awareness. Normal system stuff can be twisted. 327 00:17:01.960 --> 00:17:04.240 If you want to dig deeper, definitely look into resources 328 00:17:04.240 --> 00:17:07.839 on malware analysis, general cybersecurity, maybe some of the specific 329 00:17:07.920 --> 00:17:08.839 techniques we mentioned. 330 00:17:08.880 --> 00:17:10.960 It really leaves you with a big question, doesn't it. 331 00:17:11.000 --> 00:17:14.039 As malware gets better and better at hiding, how do 332 00:17:14.119 --> 00:17:17.440 our defenses need to fundamentally change? How do we stay 333 00:17:17.480 --> 00:17:20.640 ahead in this digital conflict. It's a constant learning process.