OPERATIONAL DEFECT DATABASE
...
...
Note: As of May 2022, Dell Threat Defense has reached End of Maintenance. This article is no longer updated by Dell. For more information, reference Product Life Cycle (End of Support / End of Life) Policy for Dell Data Security. If you have any questions on alternative articles, either reach out to your sales team or contact endpointsecurity@dell.com.Reference Endpoint Security for additional information about current products. Affected Products: Dell Endpoint Security Suite EnterpriseDell Threat Defense Note: There are legitimate uses for each of the identified indicators. Existence of a particular indicator is not proof positive that an object is doing something malicious. For example, if the sample is a process debugger, it may have legitimate use of SEDebugPriv or Process Injection. Software installers frequently bundle EXE inside. These are specific indicators that have a high prevalence in malware, but they DO NOT represent the models that we use for classification of good and bad. Our models measure millions of data points, with some of these included, but define complex patterns across them. These models are difficult to visualize due to complexity, and so some selected indicators have been made available within Threat Indicators.
Not Applicable
Categories Threat Indicators are grouped into categories to aid in context. Categories help identify certain potentially undesirable or malicious capabilities. Indicators Each Indicator defines an area that has been frequently seen in malicious software. Many represent capabilities of the included binary. Others represent attempts at deception. Each has been identified as a frequent and indicative feature that is based on deep analysis of over 100 million binaries. The categories that Threat Indicators use are: (click the heading to show details) Anomalies (20 Indicators) These indicators represent situations where the object has elements that are inconsistent or anomalous in some way. Frequently these are inconsistencies in structural elements in the file. CategoryNameDescriptionAnomalies16bitSubsystemThis object uses the Windows 16-bit subsystem, a less secure and less monitored part of the operating system. This subsystem is intended for running older software (MS-DOS) on newer operating systems; modern software rarely requires it. Malware typically takes advantage of the 16-bit subsystem to exploit security flaws in the subsystem and gain additional privileges.AnomaliesAnachronismCompiled executables typically include a 4-byte value which represents the time and date the executable was compiled on. Professionally written software has little reason to modify this timestamp value; however, an attacker could modify this value so an executable would appear to be compiled in the future or past. Note: Borland Delphi uses a static value for all compiled executables.AnomaliesAppendedDataThis portable executable (PE) file has some extra content that is appended to it, beyond the normal areas of the file. With legitimate files, appending (or adding) data to an executable file allows a software company to include data with their program instead of needing separate data files. But appended data can frequently be used to embed malicious code or data and often overlooked by protection computers.AnomaliesBase64AlphabetThis object contains evidence of using Base64 encoding. Base64 is an encoding scheme that is used to represent data as ASCII text typically consisting of A-Z, a-z, 0-9, +, and /. Malware often uses Base64 to avoid detection. For example, the suspicious data thisisabot can be concealed by encoding it as dGhpc2lzYWJvdA== using Base64.AnomaliesCommandlineArgsImportThis object imports functions that can be used to read arguments from a command line and malware can use this to collect information. Command-line arguments are parameters that are passed to the program, like opening a specific file or using values. Some organizations may even pass usernames and passwords with a command like net use.AnomaliesManifestMismatchThis object appears to have inconsistencies in its manifest, a file containing metadata about the object. This metadata includes any relationship and dependencies with other components, version information, and security permissions required by the assembly. Malware creators might manipulate this metadata to avoid detection or directly copy the manifest of a legitimate file into their executable.AnomaliesNontrivialDLLEPThis object is a DLL with a nontrivial (critical) entry point. Entry points are common among DLLs, but a malicious DLL may use its entry point to place itself inside a process. An entry point is where control goes from the operating system to the program, at which point the program is started.AnomaliesPossibleBATThis object contains evidence of having a standard Windows batch file included. Legitimate programs rarely have a reason to include a batch script alongside of the program. Malware creators often do this to avoid common anti-virus scanning techniques. Some malware will commonly use a batch file to hide specific actions within the file, like containing commands to perform another command, start another malicious program, or delete itself after execution.AnomaliesPossibleDinkumwareThis object shows evidence of including some components from Dinkumware. Dinkumware is frequently used in various malware components; however, it also has legitimate uses and provides C++ libraries that ship with Microsoft Visual C++.AnomaliesRaiseExceptionImportsThis object imports functions used to raise exceptions within a program. Malware does this to make standard dynamic code analysis difficult to follow. Example: Malware might be designed to set up a custom exception handler, raise an exception, and then check if the custom exception handler catches it. If no exception is caught, the malware knows that a debugger probably caught the exception and that a debugger is being used.AnomaliesResourceAnomalyThis object contains malformed content or other unusual data in the resource section. The resource section of a PE or DLL typically contains icons, images, menus, and strings. Malware creators may embed malicious executables, malicious DLLs, obfuscated data, or other configuration data in the resource section.AnomaliesRWXSectionThis object may contain modifiable code and implies that the object was built using a nonstandard compiler or was modified after it was originally built. While some organizations may create and use software built using these techniques, this is not the industry standard.AnomaliesStringInvalidThe object contains an invalid string, which could be an attempt to conceal a suspicious string or craft the object in order to interfere with analysis. Example: The invalid string could be trying to hide a suspicious file by changing the file name slightly. "OKtoUse.dll" and "0KtoUse.dll" look similar, but the second DLL name uses a zero instead of the upper case O.AnomaliesStringTableNotTerminatedThis object contains a malformed string table. This might indicate that the file is corrupt or was crafted to interfere with identifying the object as malware. Example: Malware creators might store strings in an encrypted format to hide malicious functionality.AnomaliesStringTruncatedThe object appears to be missing some string information or contain partial strings. This might indicate that the file is corrupt or was crafted to interfere with identifying the object as malware. Malware creators might encode the malicious strings to avoid detection and then decode those strings at run time.AnomaliesSuspiciousPDataSectionThis object is hiding something in the PDATA area, and it cannot be identified. The PDATA section is typically used to process runtime structures, but this particular object contains something else.AnomaliesSuspiciousRelocSectionThis object is hiding something in the RELOCATIONS area, and it cannot be identified. The RELOCATIONS area is typically used for relocating particular symbols, but this particular object contains something else.AnomaliesSymbolInvalidThis object contains an invalid symbol string. In programming, a symbol is a data type used to name variables and functions. Malware does this to conceal a suspicious string or craft the object to interfere with identifying it as malware.AnomaliesSymbolTruncatedThis object appears to be missing some symbol information. This might indicate that the file is corrupt or was crafted to interfere with identifying the object as malware. In programming, a symbol is a data type used to name variables and functions. Malware might use symbol information to hide the address of a malicious function and instead specify the function name.AnomaliesVersionAnomalyThis object has issues with how it presents its version information. Malware typically strips, removes, or directly copies version information of another executable to avoid detection. Collection (21 Indicators) These indicators represent situations where the object has elements that indicate capabilities or evidence of collecting data. This can include enumeration of system configuration or collection of specific sensitive information. CategoryNameDescriptionCollectionBrowserInfoTheftThis object might try to read passwords stored in a web browser's cache. Malware does this to collect username and password information to send back to the malware's creators.CollectionCredentialProviderThis object appears to interact with a credential provider or tries to appear as one. Credential providers get access to many types of sensitive data, like usernames and passwords. Malware attempts to interact with or tries to appear as a credential provider to get this sensitive data.CollectionCurrentUserInfoImportsThis object imports functions that are used to gather information about the logged in user. Malware uses this information to determine ways to escalate privileges and to better tailor future attacks.CollectionDebugStringImportsThis object imports functions that are used to output debug strings. Often malware authors leave code in the malware that was used for debugging during development. In contrast debug strings are typically disabled or not present in production software.CollectionDiskInfoImportsThis object imports functions that can be used to gather details about volumes on the computer. Full disk information is typically unnecessary for most commercial software. An attacker uses Enumeration of this type of information to plan additional attacks.CollectionEnumerateFileImportsThis object imports functions that are used to list files. Malware uses this list to look for sensitive data or to find further points of attack. Determining what version and types of programs are installed on a device can be found from a file listing; the malware creator could then attempt to find further vulnerabilities in the installed software.CollectionEnumerateModuleImportsThis object imports functions that can list all the dynamic link libraries (DLLs) a running processes is using. Malware uses this to target specific libraries for loading into a process, and to map out a process to inject into.CollectionEnumerateNetworkThis object demonstrates the ability to enumerate connected networks and network adapters. Network enumeration is the identification of other computers accessible on the same network. Information includes: usernames, network shares and service. Malware uses this information to determine where a target computer is on the network, in relation to other computers. Malware looks for other target computers accessible from the network.CollectionEnumerateProcessImportsThis object imports functions that can list all the running processes on a computer. Malware uses this to locate processes to inject into, imitate, or terminate.CollectionEnumerateVolumeImportsThis object imports functions that can be used to list the volumes on a computer. This type of information is useful for identifying areas where pertinent information could reside for targeting, or new locations to spread to or deploy additional malware.CollectionGinaImportsThis object imports functions that are used to access the graphical identification and authentication (GINA) component in Windows XP and Windows Server 2003. Malware does this in an attempt to breach the secure Ctrl-Alt-Del password entry system or other network login functions. Example: Malware targeting GINA might attempt to write usernames and passwords that are used on the computer to a file for the malware creator.CollectionHostnameSearchImports;This object imports functions that can gather information about hostnames on the network and the hostname of the infected computer itself. Malware uses this to better target further attacks or scan for new targets. Example: Knowing hostnames might provide access to other computers using a remote access protocol (like Remote Desktop) or provide targets for guessing passwords.CollectionKeystrokeLogImportsThis object imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as usernames and passwords.CollectionOSInfoImportsThis object imports functions that are used to gather information about the current operating system. Malware uses this to better tailor further attacks (to take advantage of operating system exploits) and to report information back to a controller.CollectionPossibleKeyloggerThis object appears to be a keylogger based on evidence of keylogger-type activities. Malware uses keyloggers to collect sensitive information from keyboard entries, such as passwords.CollectionPossiblePasswordsThis object appears to include common passwords or is structured in a way that would enable brute forcing common passwords. Malware uses this to attempt gain further access to a network by accessing other resources using passwords.CollectionProcessorInfoWMIThis object imports functions that can be used to determine details about the processor (CPU). Malware uses this information to tailor attacks and send data that is collected to a common Command and Control (C&C) infrastructure (exfiltrate data). An example of processor information is whether the CPU supports 64-bit operating systems; 64-bit operating systems provide more security measures than 32-bit versions.CollectionRDPUsageThis object shows evidence of interacting with the Remote Desktop Protocol (RDP). Malware frequently uses this to infect other computers and offers direct command and control functionality to the infected computer. Malware can take advantage of shared resources with other computers, like network shares, using RDP.CollectionShellCommandStringThis object contains one or more references to common utilities or shell commands which are observed more often in malware than in legitimate software. An example would be something like "netstat" or "tasklist" which could be used to enumerate further computer information.CollectionSystemDirImportsThis object imports functions used to locate the system directory. Malware does this to find where many of the installed system binaries are located, as it frequently hides among them.CollectionUserEnvInfoImportsThis object imports functions that are used to gather information about the environment of the logged in user. Malware uses this to determine details about the logged in user and look for intelligence that can be logically guessed at about the network environment. Examples: username conventions and computer naming conventions. Data Loss (12 Indicators) These indicators represent situations where the object has elements that indicate capabilities or evidence of exfiltration of data. This can include outgoing network connections, evidence of acting as a browser, or other network communications. CategoryNameDescriptionDataLossAbnormalNetworkActivityThis object implements a nonstandard method of network communication. Malware does this to avoid detection of more common networking approaches. An example of this type of communication would be the use of COM interfaces using the CoCreateInstance function.DataLossBrowserPluginStringThis object appears to target common browser plug-in frameworks. Malware might register itself as a browser plug-in to establish itself on a computer, to infiltrate the browser to spy on the user, or to perpetrate fraud.DataLossContainsBrowserStringThis object contains evidence of attempting to create a custom UserAgent string. UserAgent strings are used during HTTP communication to identify what type of software the client connecting to the website is using. Malware often attempts to blend in using legitimate UserAgent strings, but often employs older or malformed UserAgent strings.DataLossDownloadFileImportsThis object imports functions that can download files to the computer. Malware uses this to further stage an attack by downloading malicious files or can use the outbound URL to send collected data back to the malware creator.DataLossFirewallModifyImportsThis object imports functions used to modify the local Windows firewall settings. Malware uses this to open more ports on the computer and avoid detection when communicating with the malware creator.DataLossHTTPCustomHeadersThis object contains evidence of creating custom HTTP headers. Malware does this to facilitate interactions with Command & Control (C&C) infrastructures and to avoid detection. An example would be something like PlugX's use of the "X-Session," "X-size," and other custom headers.DataLossIRCCommandsThis object contains evidence of interacting with an Internet Relay Chat (IRC) server. Malware commonly uses IRC to communicate with Command & Control (C&C) infrastructure. IRC supports simple, text-based chatting environments and allows a human operator to readily interact with multiple compromised computers.DataLossMemoryExfiltrationImportsThis object imports functions that can read memory from a running process. Malware uses this to determine proper places to insert itself, or to extract useful information - like passwords, credit card data or other sensitive information.DataLossNetworkOutboundImportsThis object imports functions that can send data out to the local network or out to the Internet. Malware uses this to transfer information collected from the computer (exfiltrate data) or for Command & Control (C&C).DataLossPipeUsageThis object imports functions that allow the manipulation of named pipes. Malware uses this for communication and to transfer information collected from the computer (exfiltrate data). A named pipe is used for communication between a server and clients. Any process can act as both a server and a client, allowing information to be sent to or from the affected computer.DataLossRPCUsageThis object imports functions that allow it to interact with Remote Procedure Call (RPC) infrastructures. Malware uses this to spread itself or to transfer information collected from the computer (exfiltrate data). RPC can be used as a means of command and control within a local network as well.DataLossSpyStringThe object targets functionality that can be used to spy on the users of a computer. Deception (22 Indicators) These indicators represent situations where the object has elements that indicate capabilities or evidence of an object attempting to be deceptive. Deception can come in the form of hidden sections, inclusion of code to avoid detection, or indications that it is labeled improperly in metadata or other sections. CategoryNameDescriptionDeceptionAntiVMThis object might try to determine if the process is running in a virtual machine. Anti-virus programs and security researchers use virtual machines to run potentially malicious files to see the results without affecting the computer. Malware commonly tries to avoid running in virtual machines to avoid detection or displays alternate behavior inside a VM to fool researchers.DeceptionCabinentUsageThis object appears to contain a cabinet file (CAB). Malware does this to package sensitive components into a format that many anti-virus programs cannot scan. CAB files can use strong encryption and do not require any additional software to be installed on the machine.DeceptionContainsEmbeddedDocumentThis object contains a document that is embedded inside the object. Malware can use this to spread an attack to multiple sources, or to otherwise hide its true form. Example: The object could contain a document with malicious macros that run when opening the embedded file is approved.DeceptionCryptoKeysThis object might contain an embedded cryptographic key. Malware does this to avoid detection or to provide authentication with remote services. Ransomware could use this to encrypt files on the local computer and store the private key to decrypt the data on a remote server.DeceptionDebugCheckImportsThis object imports functions that would allow it to act like a debugging program (debugger). A debugger is used to test other software for problems in the program, which include stopping the program being tested and changing the way that it operates. However, these same functions can be used for malicious purposes, like reading sensitive information from other processes running on the computer, or tampering with software (as if a software cracking tool to evade copyright protection).DeceptionEmbeddedPEThis object contains additional objects within it, which rarely happens outside of software installation programs. Malware embeds these objects, drops them to the disk, then runs them. This technique is used to avoid protection scanners by packaging the objects in a format the scanning technology does not understand, and cannot detect it.DeceptionEncodedPEThis object has additional objects within it and uses an encoding scheme on the additional objects. This is an suspicious behavior. Malware does this to avoid protection scanners by encoding the source information into a scheme the malicious object is aware of.DeceptionExecuteDLLThis object contains the capability of running a DLL using common methods. Malware uses this to avoid common detection practices. Malware has slowly shifted to the use of more DLL's as they are more difficult to detect from a process listing.DeceptionFakeMicrosoftThis object claims to Microsoft created it, but it does not look like a Microsoft object. Malware tries to masquerade as a Microsoft object to avoid detection.DeceptionHTTPCustomUserAgentThis object contains evidence of manipulating the browser User-Agent. Malware does this to interact with Command & Control (C&C) infrastructures and to avoid detection. In HTTP, User-Agent information might contain the browser version to provide compatibility information. However, the User-Agent could contain anything, including sensitive computer information.DeceptionInjectProcessImportsThis object can inject code into other processes. This implies that a process is attempting to be deceptive or hostile in some way. Malware uses code injection to install and run stealthy malicious objects, interrupt services, or escalate privileges.DeceptionInvisibleEXEThis object appears to run invisibly, but it is not a background service. Malware may try to run without letting the user know, to remain hidden.DeceptionMSCertStoreThis object appears to interact with the core Windows Certificate store. Malware does this to collect credentials and insert rogue keys to facilitate man-in-the-middle attacks.DeceptionMSCryptoImportsThis object imports functions to use the core Windows Crypto Library. Malware uses this to leverage the locally installed cryptography instead of supplying its own. The Windows Crypto Library allows creating cryptographic keys along with the ability to encrypt or decrypt data.DeceptionProtectionExaminationThis object seems to be looking for common protection computers (like anti-virus or anti-malware programs). Malware does this to initiate anti-protection actions that are tailored to the protection system installed on the device.DeceptionSegmentSuspiciousNameThis object contains a segment with a suspicious name. This might indicate that the file has been obfuscated to avoid detection or was generated in an unusual way. A segment is part of the object that contains variables that are available while the program is running.DeceptionSegmentSuspiciousSizeThis object contains a segment with an anomalous size. This might indicate that the file has been obfuscated to avoid detection or was generated in an unusual way. A segment is part of the object that contains variables that are available while the program is running.DeceptionSelfExtractionThis object appears to be a self-extracting archive. Malware uses this to hide its true intentions because some anti-virus or anti-malware programs either do not detect or misclassify archived (compressed) malware. Making the object self-extracting allows the malware to decompress, and possibly run, without the user being involved.DeceptionServiceDLLThis object appears to be a service dynamic link library (DLL). Service DLL's are typically started on computer startup. This provides persistence for malware.DeceptionTempFileImportsThis object imports functions that can access and manipulate temporary files. Malware sometimes hides and can run from temporary files on a computer. Not all anti-virus or anti-malware programs scan temporary files, so malware manipulates temporary files to avoid detection.DeceptionUsesCompressionThis object appears to have portions of its code compressed. Malware does this to avoid detection because some anti-virus or anti-malware programs either do not detect or misclassify the compressed malware.DeceptionVirtualProtectImportsThis object imports functions that can modify the memory of a running process. Malware does this to inject itself into running processes. Malware could copy something to memory (like a dynamic link library or DLL) and instruct the process to run it, by injecting into a process. Destruction (13 Indicators) These indicators represent situations where the object has elements that indicate capabilities or evidence of destruction. Destructive capabilities include the ability to delete computer resources like files or directories. CategoryNameDescriptionDestructionAutorunsPersistenceThis object attempts to interact with common methods of persistence, a way of making sure that the object continues to exist or run on the computer. Some examples of persistence are modifying the Registry to run malware each time a user logs in, and using Windows Services because this provides the highest level of privileged accounts available.DestructionDestructionStringThis object appears to use destructive functionality. Examples of destructive functions include deleting files and terminating processes running on the computer.DestructionFileDirDeleteImportsThis object imports functions that can delete Files or Directories. Malware commonly uses this to break computers and to cover its tracks.DestructionPossibleLockerThis object appears to be able to lock out common tools by policy. Malware does this to retain persistence, and make detection and cleanup more difficult.DestructionRegistryManipulationThis object imports functions that can manipulate the Windows registry. Malware does this to gain persistence, avoid detection, enumerate computer information, and many other things.DestructionSeBackupPrivilegeThis object might attempt to read files to which it has not been granted access. It appears to request SeBackupPrivilege, a privilege that uses programs to read files regardless of the Access Control List (ACL) security settings for the files. Typically this privilege is reserved for administrative users.DestructionSeDebugPrivilegeThis object might attempt to tamper with system processes. A program uses SeDebugPrivilege to access other processes and is typically limited to administrative users. This privilege allows developers to debug a service without enabling all the administrative user privileges, but malware may use the privilege to tamper with critical and highly privileged processes which may contain sensitive information.DestructionSeRestorePrivilegeThis object might attempt to change or delete files to which the portable executable (PE) has not been granted access. The pair to SeBackupPrivilege, SeRestorePrivilege allows taking ownership of and writing to any file without consideration of the Access Control List (ACL) security settings for that file.DestructionServiceControlImportsThis object imports functions that can control Windows Services on the current computer. Malware uses this to launch itself in the background (by installing as a service) or disables other services that are there to protect the computer.DestructionSpawnProcessImportsThis object imports functions that can be used to run another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet.DestructionTerminateProcessImportsThis object imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection computers, or to damage a running computer.DestructionUserManagementImportsThis object imports functions that can be used to change users on the local computer. It can add, delete, or change key user details. Malware can use this capability to achieve persistence or cause harm to the local computer.DestructionVirtualAllocImportsThis object imports functions that are used to request memory in another running process. Legitimate software uses these functions to extend a program to add features, while malware uses them to inject malicious code into a running process. Misc (8 Indicators) All indicators that do not fit into the previously mentioned categories CategoryNameDescriptionMiscAutoRunStringThis object appears to use one or more means of establishing persistence on the computer. Example: the object registers itself to run when the computer starts or when the user logs in.MiscCodepageLookupImportsThis object imports functions used to look up the codepage (location) of a running computer. Malware uses this to differentiate which country or region a computer is running in to better target particular groups.MiscHiddenMachOThis file contains one or more embedded executables. In legitimate software, executables are bundled into a package, installer, or disk image. In malware, executables are stored within the resource section or appended to the end of the file.MiscMutexImportsThis object imports functions that can create and manipulate mutual exclusion (Mutex) objects. Malware frequently uses mutexes to avoid infecting a computer multiple times. Malware uses this to not infect the computer multiple times, thus reducing the chances of causing computer abnormalities which can result in detection.MiscOpenSSLStaticThis object contains a version of OpenSSL that is compiled to be stealthy. OpenSSL is a cryptographic library and is used for secure communication, typically with web servers. Malware does this to include cryptography functionality without appearing suspicious.MiscPListStringThis object contains references to .plist files. Linux-based and Mac OS X computers use Plist files. Plist files may also appear on a Windows computer if OS X software is installed (like iTunes). Plist files typically contain preferences for a software program. Malware commonly targets the .plist file of an application to piggyback on or infiltrate.MiscPrivEscalationCryptBaseThis object shows evidence of attempting to use a particular privilege escalation using CryptBase. The trusted sysprep.exe binary loads any DLL with the name Crytpbase.dll from the same local directory. If replaced with a malicious file this technique can be used to escalate user privileges to Administrator without notifying the user - no User Account Control (UAC) message displays. Malware uses this to gain more privileges on the affected computer.MiscSystemCallSuspiciousThis object contains references to computer functionality that typically legitimate software does not use. System calls are used by software programs to use a service available in the operating system. Examples: access to hardware (like the hard drive), creating and running a process, and communication with the kernel (an important part of any operating system). To contact support, reference Dell Data Security International Support Phone Numbers.Go to TechDirect to generate a technical support request online.For additional insights and resources, join the Dell Security Community Forum.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
