Making Malware That Sticks

They lurk all over the world, from basements to offices, trying to take down your machines from afar. Malware writers have produced some devious code, eluding anti-virus tools to get their programs on your machine. From there, they will send spam, serve up their illegal content using your hard drive, and even monitor your banking sessions. But how well written is this code, and how much has it evolved?Coding used to be far more of a dark art than it is now, and anyone with a technical leaning can learn the basics, warned Luis Corrons, technical director of Panda Security’s PandaLabs. It takes real skill to be a good one, though.

He sees big differences between coders in Russia and eastern Europe compared to South American malware writers. “In general the ones from South America are less skilled, which is something that they try to compensate for using a lot of social engineering techniques,” he said. “The ones from Russia are usually highly skilled, using all kind of different advanced techniques, such as rootkits.”

Malware writers need those skills, because they’re contending with a lot of challenges. The most obvious is detection avoidance. Malware writers must hone their products to avoid triggering the variety of tools designed to spot them, he said.

“If they want to bypass most AV engines, they can use one of many services available on the underground that will scan their malware with multiple engines,” said Joe Stewart, director of malware research at security firm Dell SecureWorks.

Some services designed to test the efficacy of antivirus tools, such as VirusTotal, will scan malware and provide results but will also forward the malware samples to antivirus vendors in a bid to stop criminals from using their services.

However, underground forums offer services that allow anonymous uploads along with private testing and results.

Packing it in

Also available in both legitimate and illegitimate versions are packers, which encode and encrypt software to make it more difficult to analyse and reverse engineer. In the legitimate software world, these are used for digital rights management and anti-piracy purposes. On the malware forums, they’re designed to make software detection-proof.

The challenges for malware and packer writers are mounting, though. For one thing, they have to detect whether they’re running in an environment where they’re likely to be analyzed. Virtual machine detection is a popular technique.

“Malware authors have a lot of work to do before they can successfully release an effective code and botnet,” said Liam O’Murchu, director of security response at Symantec. “That’s why they often tend to work in groups.”

Murchu knows quite a bit about virus. He is heralded as the first to decode Stuxnet, the highly sophisticated malware that infected an Iranian nuclear plant and set back the country’s enrichment program by months. That code was said to be produced by state actors, though, with an entirely different class of software engineer involved.

The kind of malware that generally creates botnets and pilfers banking details is produced by career criminals. Corrons believes that the really innovative malware in this class trickles down from the more talented coders in the criminal underworld to bottom feeders below.

Talented malware writers innovative in different areas. One of them is protection. Some malware has sought out and deleted other botnet code to protect its pwned assets, for example, while some strains began using encryption for their command and control infrastructure years ago. Some innovations focus on refining exploitation. One piece of code allegedly used IP cameras to verify its targets, for example. And here’s a nasty piece of code that deletes Chrome and replaces it entirely with a fake browser.

When malware writers slip up

Still, malware writers are prone to mistakes, like everyone else. “Releasing malware samples with debug information is the most common one by far, together with leaving the original timestamp and language,” said Corrons.

Clues in the code can be even more explicit, say experts. Leaving their identities embedded in the malware – either for bragging rights or unintentionally – happens more often than you’d think, warned Stewart.

Then, there are basic coding mistakes. Crypto-ransomware encrypts a victim’s files and won’t decode them until the criminal receives a payment. Then, the users will typically get a key.

Some versions of ransomware used incorrectly-applied encryption schemes which rendered them less effective. “The people who made a lot of this malware were inexperienced, and used these cryptographic principles incorrectly. They used one key for all different devices or used things like RSA incorrectly,” said Patrick Nielsen, senior security researcher at anti-malware firm Kaspersky.

While innovations may trickle down from the top, the broader community is prone to mimicry or outright theft, say experts. Malware writers will often repurpose code, reusing and remixing it in new strains of software. The vast majority of malware in circulation is built on the shoulders of past strains, experts suggest.

Stewart believes that the innovations are dying down. “I can tell you the originality of techniques employed in malware seems to be decreasing over time,” he argued. “It feels like malware monetization schemes and their technical approaches have been mostly explored at this point. There’s not much new under the sun these days.”

Still, it never pays to underestimate a financially-motivated community, with some bright minds at the top.