Evading anti malware software has always been a challenge for the hackers out there. Anti viruses are getting smarter everyday by using behavior analysis by implementing machine learning algorithms. Now hackers have developed a new code injection technique called Early bird.
In simple words, As the name suggests the malware is injected to a working process early i.e its injected before its main thread starts. This makes the malware undetectable because anti malware engines can hook the process only after its main thread is started. This early loading of malware before the hook is even placed makes it more powerful.
How Early bird works ?
Early bird works because of windows built-in APC function. An APC (Asynchronous Procedure Calls) function enables a program to execute a code asynchronously with the main thread. Using APC malicious code can be loaded asynchronously before the thread.
Here is the step by step process:
- Create a suspended process of a Windows process (e.g., svchost.exe)
- Allocate memory and load malicious code into the allocated memory region of the process,
- Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
- Call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
Security researchers from Cyberbit found that malware like Carberp and DorkBot uses this technique for AV evasion. You can find more details in their report: New ‘Early Bird’ Code Injection Technique Discovered.