1

Some malware authors add benign code/behavior to their malware just to throw off antiviruses and IDSs which employ machine learning to detect malware. There is a name for this technique (and even a Wikipedia page somewhere) but I can't seem to figure out what it is or find it on Google.

kansas_bulldog382
  • 26
  • 2
  • 1
    Do you mean *"mimicry"*, i.e. looking like something good while being bad? – Steffen Ullrich Dec 03 '19 at 05:00
  • It is mimicking for sure, but that's not the term. Essentially the idea is to stuff a malware with a bunch of code from well-known benign programs. – kansas_bulldog382 Dec 03 '19 at 05:09
  • 1
    I know what you mean, like in [this bypass of Cylance](https://skylightcyber.com/2019/07/18/cylance-i-kill-you/). But I'm not sure that there is a special term focusing on what you mean and I cannot find any such term in this post either. – Steffen Ullrich Dec 03 '19 at 06:02
  • I think you mean [polymorphic malware](https://digitalguardian.com/blog/what-polymorphic-malware-definition-and-best-practices-defending-against-polymorphic-malware). There are open source frameworks for this like [Veil](https://www.veil-framework.com/) – paj28 Dec 03 '19 at 11:03
  • @SteffenUllrich That is exactly what I was thinking of! I could have sworn I saw a Wiki page on that technique and it was given some interesting name I was hoping I could search up, but I suppose if articles like the one you linked don't use the term, then maybe it hasn't taken hold. – kansas_bulldog382 Dec 03 '19 at 17:42
  • @paj28 I know its not polymorphism per se. Polymorphic decryptors don't necessarily patch in code from other programs, which is the technique I am looking for. Thanks for bringing up Veil though, that'll be something interesting to look into – kansas_bulldog382 Dec 03 '19 at 17:50

2 Answers2

1

I think the technique is called obfuscation using "dead code insertion" where you add routines that don't perform any function to throw off AV static and dynamic analysis. I read it here Also this wiki leaks paper shows experiments with AV that use techniques of adding functions that dont do anything but bypass AV dynamic analysis

yeah_well
  • 3,699
  • 1
  • 13
  • 30
  • Would you please add some references where this term is being used? –  Dec 03 '19 at 10:29
1

Malware hiding within an app with a benign purpose is typically called a Trojan, after the famous story of the Trojan Horse.

Gaius
  • 810
  • 6
  • 7