How does malicious software conceal itself?

Infiltration

Basic encryption

Basic and easily cracked: XOR encoding, Base64 encoding, ROT-13 cipher encryption

Malware code is disguised or

obfuscated in order to
prevent detection by antivirus or anti-malware
software operating on the
target system.

Oligomorphism

Malware code is encrypted in one of a few pre-determined methods.

Polymorphism

Malware code is encrypted in a different method for each victim, which affects the size
and/or shape of code.

Metamorphism

Malware code is different every time it is propagated to a new victim the techniques
used in polymorphism are applied to the code itself.

Debugger detection

Malware is able to detect when it is being ran within a debugger, and hide functionality.

Binary packing

A packer, or compression engine, is used to compress code and prevent static analysis.

User mode root kit

Replaces binary files from legitimate applications with malicious files; they can also hijack
programs and perform malicious acts on their behalf.

Kernel root kit

The kernel is the core of the operating system, and programs run on top of this. Therefore,
the anti-malware software (also running on the kernel) is unable to detect the root kit. This
causes instability on the target machine.

Virtual machine root kit

Virtual root kits place themselves on top of the boot loader, and then boot the target
operating system within themselves, in a manner similar to a virtual machine. They
therefore control all data flowing from the OS.

Boot kit

This allows an attacker to infect start-up code like the Master Boot Record (MBR), Volume
Boot Record (VBR) or boot sector, and in this way, can be used to attack systems with full
disk encryption.

Firmware root kit

These are embedded within the firmware of devices such as network devices, and the root
kit is therefore available for as long as the device is. Attempts to delete the software result
in reinstallation on next reboot.

Exfiltration

Email

Use of Outlook mail forwarding options, or sending of mail over SMTP

The communication between

malware and command &
control servers is disguised to
allow free movement of data,
for example financial
information, PII, or intellectual
property.

HTTP(S)/FTP

Use of standard file transfer ports for traffic transfer, or of HTTP POST

SSH tunnel

Encrypted SSH services such as SFTP and SCP (Secure Copy)

IRC messaging

Use of IRC Direct Client Connect (DCC) SEND sub-protocol

Bluetooth/Wi-Fi

Attacker can exfiltrate data to nearby devices/APs under their control

Cloud services

Use of cloud storage service to upload and store data anonymously

DNS tunnelling

Use of UDP DNS requests for subdomains with data in the subdomain

Operation
The running or operation of
malware is disguised in order
to prevent detection and
removal by anti-virus or antimalware.