|23 Feb 2010||#1|
| || |
Hiding in plain sight.
There are many forms of malcode concealment, from the “obfuscated beyond recognition” to “in plain sight” yet seldom have we seen hijacking of compiler runtime stubs (although infection of compilers, ala Induc, has already been explored and exploited [1,2,3])
Obfuscation is typically easy to spot (especially when the authors try very hard to make it difficult to analyze)  and it is the likely reason why “in plain sight” techniques are starting to make an appearance as discussed by Billy .
One variation of such a technique is to hijack a call to a constructor or initialization routine within a compiler-emitted stub and point it at the malcode, with the assumption that most AV engines (and analysts) recognize and skip (or pay less attention to) compiler generated stubs.
Hiding in plain sight | SophosLabs blog
|My System Specs|
|Similar help and support threads for2: Hiding in plain sight.|
|The transit of Venus a dazzling sight (pictures)||Chillout Room|
|Windows won't start - No solution in sight||BSOD Help and Support|
|Windows 7 loses sight of Xp Pro machines?||Network & Sharing|
|annoying sight bar in firefox 3.6||Browsers & Mail|
|Second Sight, man this gaming sux||Gaming|
|Display extends out of sight on right?||Graphic Cards|
|X-treme noob with poor eye-sight, need solutions!||Chillout Room|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 12:35 PM.