Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malware Businesses Blending the Legitimate and the Illegitimate

Whenever someone wants to invoke a hacker for any purpose, we usually get some (stock photography) image of a lone, hooded malware author bent over a dark keyboard. Movies, too, perpetuate the idea of some socially maladjusted loner wreaking havoc single-handedly from his (or her) laptop, with the plot usually culminating in the arrest of the individual—and there the mayhem ends, because the single genius is now in solitary.

Whenever someone wants to invoke a hacker for any purpose, we usually get some (stock photography) image of a lone, hooded malware author bent over a dark keyboard. Movies, too, perpetuate the idea of some socially maladjusted loner wreaking havoc single-handedly from his (or her) laptop, with the plot usually culminating in the arrest of the individual—and there the mayhem ends, because the single genius is now in solitary.

This suggests a second popularly promoted hacker conception, that malicious hacking happens in some isolated moment of brilliance, with the hacker circumventing all sorts of systems in a single sitting. Both of these notions don’t accurately reflect the realities of the “malware industry,” a deserved designation given the size of its economic activity and the increasing degree of economic integration found across different “service providers” in the malware (and phishing) value chain. 

Office Hacks

The truth is that quite a lot of malware today, especially from Russia and Eastern Europe, is developed by an organization—an actual office of people that show up and spend their working day writing malware for a paycheck. Twenty years ago, back in the still-slightly-idealistic early days of the web, malware authors were the singular – author – and even signed their creations in such a manner that the antivirus community would know whom to give due credit. But this has changed, of course, as the stakes have gotten bigger and financial gain has become the single, overriding motivation for hackers.

Most malware authors today are someone that works full-time on writing malware. If they get health and dental coverage, I can’t say, but the point I wanted to get to is that the increasing degree of organization and even formalization in the malware industry is behind certain trends in actual malware development. So instead of loner geeks relying on momentary inspiration, what we’ve got are businesses grinding things out over the long term, which I think is contributing to a broadening of their use of legitimate software and tools to accomplish their ends.

Illegitimate Legitimate Software

I’ve written previously about “fileless” malware, and how malware developers are leveraging pre-installed system tools which are already on everyone’s computers. Another trend to keep an eye on is the use and abuse of legitimate software in malware attacks, which poses challenges in detection. Legitimate software often is capable of very malicious behavior if used in such a way, although it obviously wasn’t designed for it. The usual example of this is Flash, but also considered in this category are several legitimate remote access tools sometimes hijacked for malware attacks, and the episode earlier this year of malicious modules in the official Python repository, whereby installing a compromised Python package could allow malicious code to execute—GitHub found vulnerabilities in over 500,000 repositories.

Malware Authors Use Our Tools for QA

Another category of this blending of the legitimate and the illegitimate extends to tools used by malware researchers. You may not be familiar with YARA, an open source tool described on its GitHub page as “the pattern-matching Swiss Army knife,” but all malware researchers certainly are. Naturally, it turns out that security researchers aren’t the only ones using YARA – for those who spend enough time analyzing malware to begin to “read between the lines,” as it were, it is very clear that malware authors are using YARA themselves to develop tests and do extensive QA of their own malware. In the same way that a malware analyst might use YARA to de-obfuscate (for example) RTF files, malware developers can use the program to check if their obfuscations are easily findable.  There are a lot of different types of obfuscations to be found in many RTF files, many are simple – splitting malicious strings with spaces, tabs and new lines. But it can get fancy pretty fast, since RTF is not limited to exploiting only RTF parsing vulnerabilities, it supports embedded objects like OLE objects and images that can be used in exploits. 

The point is, a malware development organization can and does acquire and use our same tools to “improve” their product. Or, increasingly, they outsource it to a testing vendor who uses these tools, and more. I’m aware of malware industry services which perform multiple scans to check if a particular piece of malware might get caught easily, essentially a Virus Total-like service for the badly intended. 

It would be nice for us all if stock photography images were accurate and malware developers really were loners, but integrated malware businesses are what we’ve got today.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.