6

Let's assume a malware was installed (on a UNIX-based platform) with some social engineering tricks. The original installed code itself may be benign, but the only malicious activity is that the malware connects to a C&C server and retrieves some additional malicious payload. Then, the malware tries to execute the retrieved malicious payload.

What is not quite clear for me is that how that malicious payload is executed? Does it need to be written on a file and then a call to execve be made? Are there other possibilities?

hsnm
  • 1,281
  • 1
  • 10
  • 11

2 Answers2

4

There are lots of ways to run the downloaded code:

  • Write a file and then exec it as you note
  • The payload might be written in a language that the loader is an interpreter for.
  • The loader could exec a shell or other scripting executable (python, ruby) and pipe the payload to it as a script.
  • The loader could mmap executable memory, load the payload into it, assign a function pointer, and call it.

I'm sure there are more approaches, but I suspect that covers the major categories (write and exec, interpret it, give it to someone else to interpret, or run it directly). There may be some ways to trick the system into exec'ing an ELF executable that isn't written to the file system (maybe through a named pipe), but nothing comes immediately to mind.

EDIT: See fexecve(). This should let you create a pipe, fork, and then fexecve to read the executable from the parent's pipe without writing a file.

Rob Napier
  • 296
  • 1
  • 4
  • So, given your list + fexecve(), we can summarize it by either opening a file, creating a pipe (also sort of a file), and loading the payload in an executable memory region. – hsnm Oct 01 '12 at 18:35
  • Plus also directly interpreting it (performing actions directly based on the payload), or passing it to another tool to interpret (such as bash or python). – Rob Napier Oct 01 '12 at 19:40
  • Yes right, I forgot this one. Passing it to an interpreter could be in many ways, through a pipe, calling the interpreter by invoking the shell using system(...), and perhaps by calling a shared library and feeding the code. – hsnm Oct 01 '12 at 20:39
  • 1
    I'm also adding dynamic class loading when the code is written in a language like Java. Using ClassLoader, the payload is retrieved over the network (and possibly stored as a class file) and then runs in the Java runtime environment. – hsnm Oct 01 '12 at 20:52
1

Something like The Grugq's "user land exec" might be used. This approach has the advantage of not leaving any forensic evidence on disk. It's all in-memory.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26
  • OK. So looks like utilizing mmap to load executable in a new process memory and executing it, without being detected on the file system or in the exec system call. Interesting one. – hsnm Oct 02 '12 at 19:14