As most of my articles commenting on the infosec area, I’m coming from my own experiences, I’ve been looking into infosec daily for about 2 years and is the nearest thing I have to a job. An increasing number of people from different backgrounds, be it network/system administration to a 14 year old school kid seem to be interested in information security. So they should be, it is a growing sector of the IT community, it pays well and has some fairly interesting aspects to it. Malware analysis is steadily becoming a hot topic in infosec due to the amount of threats it gives each year, in 2014 PoS malware boomed and several major companies around the world had been affected (Not naming any names 😉 ). With media coverage gradually growing on such topics such as malware it seems just like me, more people are coming out and commenting on the state of the malware sector. One thing I hear very commonly is simply:
“Advanced malware uses 0-days and sophisticated methods to connect to the command and control server.”
It’s a sweeping statement that I have heard time and time again, don’t get me wrong, there is probably something that has used a ultra leet zero day to infect users so that it can silently connect, the recent showcase of NSA and GCHQ tricks have shown this is perfectly plausible but in most cases a HTTP requests home is all most malware will do. Malware is evolving, a few years back bot owners were stupid enough (some still) to think the IRC protocol was a effective way of transferring information. If you have a large amount of bots you don’t want to be constantly shown pingbacks from bots, you want information filtered down to make it easier to carry out your tasks efficiently.
Malware does/should attempt to replicate software which are known to be “good”. Replicating software which has no malicious intent in my view will always be a great way for evading a Anti Virus or researcher. By injecting into other processes, you will provide me and other researchers a good reason to question why it would want to inject into scvhost or Firefox. Minimal HTTP requests are what I see as the best solution for any malware developer, not trying to give advice, it’s just something I’ve thought about for a while. A lot of AV’s are well known to scan a newly started process and then leave it alone for a while. Delaying HTTP requests as much as possible will help you evade AV’s and sandboxes. The point I’m making here is almost every single modern program sends HTTP requests back home to somewhere for statistics or updates, why not just stick with the crowd?
I know a lot of people in media like to point out the sophistication of malware and they are correct, some actors will make some really creative pieces of malware. But on the other hand, we will always have the commercialised aspect of malware, generically made “malware loaders” which provide features for all. So for the people who are just starting out and aren’t expecting a 1/100000000000000000 chance of realising they have found an APT somewhere first starting out, malware isn’t all fireworks.