Malicious code usually relies on network functions to accomplish its dirty work, while many Windows API functions can communicate network. The task of creating network features is complex. Our goal here is to show you how to identify and understand common network functions so that you can identify them.What does a malicious program do when it uses these functions?
Among Windows network options, Berkeley compatible sockets are the most commonly used malicious code. Their functions are almost the same on Windows and UNIX systems.
Berkeley compatible socket
The network function of Berkeley compatible sockets is implemented by Windows Library in Windows system, mainly in ws2_32.dll. In all functions, socket, connect, bind, listen, accept, send, and RECV function is the most commonly used.
WSAStartupFunctions must be called before other network functions in order to allocate resources to these network libraries. When debugging code to find network connection entries, it is very useful to set a breakpoint in the WSAStartup function, because network entries should follow not far behind.
socket Create a socket
bind Binding a socket to a specific port should be invoked before accept
listen Predicts that a socket will enter the listener, waiting for an inbound connection
accept Open a connection to a remote socket and accept the connection
connect Open a connection to a remote socket. The remote socket must wait for a connection.
recv Receiving data from remote sockets
send Send data to remote sockets
Server and Client of Network
A network program usually has two endpoints: the server side, which maintains an open socket and waits for an inbound connection; the client side, which connects a waiting socket. Malicious code can be either end.
In the client application example of connecting a remote socket, you will see the socket call followed by a connect call, followed by send and recv calls if necessary. For a service application that monitors inbound connections, the order is socketThe bind, listen, and accept functions are called one after another, followed by send and recv calls if needed. This pattern is common in both malicious and non-malicious programs.
In addition to the Winsock API, there is a higher-level Windows API called the WinINET API. WinINET API functions are stored in Wininet.dll. If a program imports a function from this DLL, it isUse a higher-level network API.
WinINET APIImplementation of the application layer protocol, into HTTP and FTP. You can understand what malicious code is doing based on what connection it opens.
InternetOpenUsed to initialize an Internet connection.
InternetOpenUrlUsed to access a URL (it can be an HTTP page or an FTP resource).
InternetReadFileSimilar to the ReadFile function, it allows programs to read data from a download file from the Internet.
Malicious code can use the WinINET API to connect to a remote server and obtain further instructions to execute.