Using legitimate tools to hide malicious code | Advanced Mobile Spy Software
The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We're going to discuss one such type of malware. Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft's website: "The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace"). The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a