There are many forms of malcode concealment, from the “obfuscated beyond recognition” to “in plain sight” yet seldom have we seen hijacking of compiler runtime stubs (although infection
of compilers, ala Induc
, has already been explored and exploited [1
Obfuscation is typically easy to spot (especially when the authors try very hard to make it difficult to analyze) [4
] and it is the likely reason why “in plain sight” techniques are starting to make an appearance as discussed by Billy [5
One variation of such a technique is to hijack a call to a constructor or initialization routine within a compiler-emitted stub and point it at the malcode, with the assumption that most AV engines (and analysts) recognize and skip (or pay less attention to) compiler generated stubs.