Cybersecurity researchers spend their lives finding security flaws in programs so that vendors can fix them, but bugs aren’t exclusive to legitimate software. Malicious software authors make mistakes too. Where do they go to find out about them? In January, cybersecurity researcher John Page launched Malvuln, a site that documents bugs in malware.
The site provoked support and concern in equal amounts. On the one hand, commentators pointed out that defenders could use it to disable malware and perhaps even trace its C2 servers or origin. On the other hand, they worried that savvy malware authors could use a publicly viewable resource like this to close loopholes in their software.
This isn’t the first site to alert people to malware bugs, but the others have kept mostly to the dark web. In May 2020, past SecTor keynote speaker Brian Krebs highlighted Krober, a Russian site that conducts paid code reviews for malware authors and then publishes details about bugs after they’ve been patched.
Why malware bugs are so important
Malware is so rampant and the stakes are so high that there’s clearly a need for bug intelligence. Cybersecurity researchers spend their time hunting bugs in illegitimate software, too, but they tend to keep them under wraps. These are valuable tools for fighting cyber criminals, after all.
One softwareuch bug emerged in February 2019, when researchers at Fox-IT found a bug in the popular exploitation framework Cobalt Strike. Like many such tools, it was designed with pen testing and red teaming in mind, but criminals have weaponized it for years. The researchers found a flaw in the underlying open-source Java web server that returned an unusual white space. This enabled them to locate thousands of likely Cobalt Strike C2 servers using internet scan data.
Bug information can also be useful for rival cybercriminals. In one case, a bug in the Mirai IoT malware enabled one group to crash another’s C2 servers.
Dodgy malware code throughout history
Mistakes in code go all the way back to some of the earliest mass viruses. One of the best-known is the ILOVEYOU virus. It may have spread quickly, but it was also an exercise in amateur development. It was cobbled together from various other malware strains and handily came with a copy of its own source code, enabling researchers to easily write a fix. Moreover, it included email addresses and other artefacts that helped law enforcement hone in on its creator.
ILOVEYOU’s author wasn’t the only malware developer who left a little more in their source than they ought. Back in 2017, Vice reported that GR Sistemi, the author of an Android spyware app sold to organizations hoping to spy on users, left a link in one of its files that redirected to its own web site.
Other bugs cost their creators their ill-gotten profits. Some early ransomware authors made mistakes in their cryptographic algorithms that allowed researchers to developed their own decryption tools. One strain, MarsJoke, had a weakness in its random string generator that allowed researchers to calculate the AES key for an encrypted file and create a decryption tool.
Some ransomware authors failed to deliver any kind of decryption option at all thanks to incompetent coding. The author of a Power Worm variant planned on using a single AES key for all of his victims, but failed to properly pad it when converting it into a Base64 string, leaving the function with a null output. The result? The code created a random AES key for every victim that left the data unrecoverable. Nice job, genius.
Then, there was CryptoLocker. This ransomware, which was circulating widely in 2014, made $34,000 in a single month – but only from victims who didn’t know better. Its authors used Windows’ own APIs to generate the encryption key and send it back to their servers. Unfortunately, the Windows service also left a copy on the victim’s own machine. Whoopsie.
Some ransomware doesn’t need a decryption key at all. Back in 2016, the Hitler ransomware gang displayed a lock screen on infected computers warning them that their files had been encrypted. In fact, all it did was remove their filename extensions, crash the computer, and delete the files in the %UserProfile% folder on reboot. That left the files recoverable, no decryption key needed.
The best malware is getting increasingly sneaky. Some state-backed operations have produced stunning code, such as the team behind Stuxnet, which is some of the most sophisticated attack code ever written. But for every evil genius there are a thousand goons with little more than a few compsci classes or YouTube videos to go on. Long may their mediocrity continue.