Malware is not going to just always sit there and sing 🎶. Below are common techniques. More detailed explanation is in the anti-forensics section.
- Service Hijacking and Replacement.
- Process Injection. Stealthy. Trivial identification using RAM analysis tools.
- Filename/Service Hijacking.
- ADS.
- WebShells and Beacons.
- Firmware.
- DLL Injeciton.
- A/V Bypass.
- Defense Manipulation.
- Frequent Compilation.
- Binary Padding.
- Armoring. It’s useful to avoid A/V, but it’s very suspicious and easy to spot. Examples: packed malware, polymorphic.
- Dormant Malware 💤. I’ll think about that tomorrow. Tomorrow is another day. (c, Gone With The Wind).
- Signing Code with Valid Cert. Thawte and Verisign are responsible for issuing ceritifacates for malware.
- Anti-Forensics/Timestomping. Timestomping is used to modify the timestamps of a file.
- Rootkits.
- “Fileless” Malware.