Malware Isn’t All Fireworks

March 15, 2015

As most of my articles commenting on the infosec area, I’m coming from my own experiences, I’ve been looking into infosec daily for about 2 years and is the nearest thing I have to a job. An increasing number of people from different backgrounds, be it network/system administration to a 14 year old school kid seem to be interested in information security. So they should be, it is a growing sector of the IT community, it pays well and has some fairly interesting aspects to it. Malware analysis is steadily becoming a hot topic in infosec due to the amount of threats it gives each year, in 2014 PoS malware boomed and several major companies around the world had been affected (Not naming any names 😉 ). With media coverage gradually growing on such topics such as malware it seems just like me, more people are coming out and commenting on the state of the malware sector. One thing I hear very commonly is simply:

“Advanced malware uses 0-days and sophisticated methods to connect to the command and control server.”

It’s a sweeping statement that I have heard time and time again, don’t get me wrong, there is probably something that has used a ultra leet zero day to infect users so that it can silently connect, the recent showcase of NSA and GCHQ tricks have shown this is perfectly plausible but in most cases a HTTP requests home is all most malware will do. Malware is evolving, a few years back bot owners were stupid enough (some still) to think the IRC protocol was a effective way of transferring information. If you have a large amount of bots you don’t want to be constantly shown pingbacks from bots, you want information filtered down to make it easier to carry out your tasks efficiently.

Malware does/should attempt to replicate software which are known to be “good”. Replicating software which has no malicious intent in my view will always be a great way for evading a Anti Virus or researcher. By injecting into other processes, you will provide me and other researchers a good reason to question why it would want to inject into scvhost or Firefox. Minimal HTTP requests are what I see as the best solution for any malware developer, not trying to give advice, it’s just something I’ve thought about for a while. A lot of AV’s are well known to scan a newly started process and then leave it alone for a while. Delaying HTTP requests as much as possible will help you evade AV’s and sandboxes. The point I’m making here is almost every single modern program sends HTTP requests back home to somewhere for statistics or updates, why not just stick with the crowd?

I know a lot of people in media like to point out the sophistication of malware and they are correct, some actors will make some really creative pieces of malware. But on the other hand, we will always have the commercialised aspect of malware, generically made “malware loaders” which provide features for all. So for the people who are just starting out and aren’t expecting a 1/100000000000000000 chance of realising they have found an APT somewhere first starting out, malware isn’t all fireworks.


March 15, 2015 @ 9:06 pm

Very nice post !
Your opinion and your description are good, IT security is growing day after day, and malware researcher are very important and I think, become more and more important in the futur. But you should be passionate for become a security researcher I think, for spend lots of hour and days to understand the IT sec !

    March 16, 2015 @ 10:29 am

    I am passionate 🙂

    I am currently taking a university course in infosec and work almost everyday on some sort of research.

March 16, 2015 @ 1:14 pm

Also don’t forget that the other defenses but AV: Firewalls & SNORT.
Maybe a company doesn’t allow anything but HTTP, SMTP & DNS requests – so your fancy p2p protocol is of no use.
And if you use a custom p2p protocol it probably is extremly easy to write a SNORt signature and detect it – all packets start with magic value 0x???????? and are X bytes long?

    March 16, 2015 @ 3:53 pm

    Correct I did not think of a corporate based networks with restricted network access. All these talks of ultra cool methods are simply false. Most good malware developers will understand that P2P will need a fall back for targets such as corporations. Without this fallback infections under corporate networks will be trivial.


Leave a Reply

Your email address will not be published. Required fields are marked *