Polymorphic malware spawning dummy processes to circumvent behavioral-based detection and threat-to-process correlation systems
Polymorphic malware spawning dummy processes to circumvent behavioral-based detection and threat-to-process correlation systems
32 PagesPOLYMORPHIC MALWARE SPAWNING PSEUDO-OPERATING SYSTEM PROCESSES. Circumventing behavioral-based and TTPC detection grids. WWW.HEIMDALSECURITY.COM Author Vladimir-Alexandru UnterfingherTABLE OF CONTENTS 1. Introduction 2. Signature- vs. behavior-based detection in malware analysis Author Heimdal Security - Whitepaper We protect what others can’t Vladimir-Alexandru Unterfingher 3. ‘Multi-process malware’ – Terminology, Classification, Dispersal Pattern, and ‘Tainting’ mechanism 4. Modus Operandi, hits, and process calls. 5. Statistical analysis 6. Conclusions 8. Glossary 7. Related work 9. References 2.1. Signature-based Detection 2.2. Behavior-based detection 3.1. Proposed terminology 3.2. Example of possible multi-process malware execution in a controlled environment 5.1. Dist
