Process Injection, Simpler & Stealthier than Rootkit
While rootkits get the maximum attention from the IT security community it is also important to think about other similar effective techniques that malware authors employ to conceal their code from anti-malware solutions, said Nick Harbour, security researcher at the 2007 Black Hat Conference in Las Vegas. PCWorld reported this on August 3, 2007.
According to Harbour, a technique called "process injection" can enable malware authors to conceal their code from forensic detection. In this technique the attacker would have to inject malicious code into a legitimate process running on the end user's system.
Process injection has several methods for hackers to choose from. Each of them helps to hide the source from where the malicious behavior originates and runs on the victim's computer. The methods allow dodging firewalls and other kinds of security defenses as the process injected together with the code appears near normal.
A crafty name to a process successfully enables it to escape the radar of detection. Another would pass unnoticed, said Harbour during his presentation. The purpose is to insert a malicious process into a system and mask its presence with slight changes on the processes that run very normally. The processes that make the ideal targets are Spoolsv.exe and Svchost.exe because they are combinations of many of them active in memory.
Another way to execute malicious code is for malware authors to execute a code straight from memory onto the hijacked system. This technique is quite stealthy because it does not require the code to stay in the hard drive where it could catch detection.
In 2000, the first exploit showed the technique on a Windows system. In this technique the process was launched in a suspended condition with the malicious code overwriting it. For instance the attacker could execute notepad.exe in a suspended form and then use sol.exe to overwrite it to look like cards arranged in a Solitaire game, although by viewing the task bar it would appear that notepad was being used.
Such techniques are not difficult to use and are easily available unlike rootkits and therefore pose greater threat to organizations, Harbour said.
» SPAMfighter News - 16-08-2007