Is it possible for malware to hide their network activity from tools like the Resource Monitor that ships with windows?
How much effort is it for a malware developer to implement such functionality? I'm just wondering if there is a point in monitoring network activity, if malware can easily hide from it.
Yes.
A rootkit typically patches the kernel or other software libraries to alter the behavior of the operating system. Once this is happening, you cannot trust anything that the operating system tells you.
For example; a simple change to the dir program could hide the existence of malicious files from a user, but this is easily detectable by many anti-virus packages as the alteration of an executable is something that can be noticed. If however, the malware alters the mechanisms by which userland programs query the file system, by patching the kernel itself, any user-space program can be tricked into thinking that the executable has not been altered.
Once malware has started altering the behavior of the system calls/kernel api, it can hide any activity effectively, including network interactions.
All of this only applies if you are monitoring the infected machine locally. If you have firewall logs or some other remote method of monitoring the infected machine, this information can be trusted (the network connections still have to exist, but they can be hidden from the infected OS).
As answered above about rootkit that uses cloaking techniques for hiding itself, if we talk about prevention: Behavioral detection of malware is hot topic for researchers for identifying and generalization some detection rules based on unexpected behavior of the malware.
More sophisticated malware requires more effort, sometimes detection is not useful because it requires more time, of which the malware accomplished its task.
Please read these articles:
Behavioral detection of malware: from a survey towards an established taxonomy
Yes it can, it is possible for the malware to either simply replace the built in tool with a broken version or to replace the drivers that the tool uses to detect network activity. This is called a rootkit. To get around it, the best bet is to either boot from a LiveCD (thus avoiding the rootkit being able to take effect) or by using a separate piece of hardware for analysis (such as a packet analyzer on another system or logs from a router.
Actually, a rootkit need not even be involved for Perfmon to miss things. Perfmon uses Event Tracing for Windows to detect network activity. ETW has a few limitations in this regard -- namely, it is a "best effort" tool -- events may be dropped for a myriad of reasons:
Missing Events
Perfmon, System Diagnostics, and other system tools may report on missing events in the Event Log and indicate that the settings for Event Tracing for Windows (ETW) may not be optimal. Events can be lost for a number of reasons:
- The total event size is greater than 64K. This includes the ETW header plus the data or payload. A user has no control over these missing events since the event size is configured by the application.
- The ETW buffer size is smaller than the total event size. A user has no control over these missing events since the event size is configured by the application logging the events.
- For real-time logging, the real-time consumer is not consuming events fast enough or is not present altogether and then the backing file is filling up. This can result if the Event Log service is stopped and started when events are being logged. A user has no control over these missing events.
- When logging to a file, the disk is too slow to keep up with the logging rate.
Luckily though, ETW operates at a relatively low level in the kernel, so some common ways malware uses to hide its activity (such as patching the LSP stack) are ineffective.
Of course, rootkit technology can be used to hide any piece of information on a local machine, including network activity.
