Security Experts:

Malware Businesses Blending the Legitimate and the Illegitimate

Whenever someone wants to invoke a hacker for any purpose, we usually get some (stock photography) image of a lone, hooded malware author bent over a dark keyboard. Movies, too, perpetuate the idea of some socially maladjusted loner wreaking havoc single-handedly from his (or her) laptop, with the plot usually culminating in the arrest of the individual—and there the mayhem ends, because the single genius is now in solitary.

This suggests a second popularly promoted hacker conception, that malicious hacking happens in some isolated moment of brilliance, with the hacker circumventing all sorts of systems in a single sitting. Both of these notions don’t accurately reflect the realities of the “malware industry,” a deserved designation given the size of its economic activity and the increasing degree of economic integration found across different “service providers” in the malware (and phishing) value chain. 

Office Hacks

The truth is that quite a lot of malware today, especially from Russia and Eastern Europe, is developed by an organization—an actual office of people that show up and spend their working day writing malware for a paycheck. Twenty years ago, back in the still-slightly-idealistic early days of the web, malware authors were the singular – author – and even signed their creations in such a manner that the antivirus community would know whom to give due credit. But this has changed, of course, as the stakes have gotten bigger and financial gain has become the single, overriding motivation for hackers.

Most malware authors today are someone that works full-time on writing malware. If they get health and dental coverage, I can’t say, but the point I wanted to get to is that the increasing degree of organization and even formalization in the malware industry is behind certain trends in actual malware development. So instead of loner geeks relying on momentary inspiration, what we’ve got are businesses grinding things out over the long term, which I think is contributing to a broadening of their use of legitimate software and tools to accomplish their ends.

Illegitimate Legitimate Software

I’ve written previously about “fileless” malware, and how malware developers are leveraging pre-installed system tools which are already on everyone’s computers. Another trend to keep an eye on is the use and abuse of legitimate software in malware attacks, which poses challenges in detection. Legitimate software often is capable of very malicious behavior if used in such a way, although it obviously wasn't designed for it. The usual example of this is Flash, but also considered in this category are several legitimate remote access tools sometimes hijacked for malware attacks, and the episode earlier this year of malicious modules in the official Python repository, whereby installing a compromised Python package could allow malicious code to execute—GitHub found vulnerabilities in over 500,000 repositories.

Malware Authors Use Our Tools for QA

Another category of this blending of the legitimate and the illegitimate extends to tools used by malware researchers. You may not be familiar with YARA, an open source tool described on its GitHub page as “the pattern-matching Swiss Army knife,” but all malware researchers certainly are. Naturally, it turns out that security researchers aren’t the only ones using YARA – for those who spend enough time analyzing malware to begin to “read between the lines,” as it were, it is very clear that malware authors are using YARA themselves to develop tests and do extensive QA of their own malware. In the same way that a malware analyst might use YARA to de-obfuscate (for example) RTF files, malware developers can use the program to check if their obfuscations are easily findable.  There are a lot of different types of obfuscations to be found in many RTF files, many are simple – splitting malicious strings with spaces, tabs and new lines. But it can get fancy pretty fast, since RTF is not limited to exploiting only RTF parsing vulnerabilities, it supports embedded objects like OLE objects and images that can be used in exploits. 

The point is, a malware development organization can and does acquire and use our same tools to “improve” their product. Or, increasingly, they outsource it to a testing vendor who uses these tools, and more. I’m aware of malware industry services which perform multiple scans to check if a particular piece of malware might get caught easily, essentially a Virus Total-like service for the badly intended. 

It would be nice for us all if stock photography images were accurate and malware developers really were loners, but integrated malware businesses are what we’ve got today.

view counter
Sigurdur “Siggi” Stefnisson is vice president of threat detection at Cyren, an Internet Security as a Service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions.