Malware: Why reuse the code

Malware copy paste: Software developers do so, so malicious devs are no exception. While we often view different malware as separate entities, in fact most of the new malware programs use large pieces of the source code of existing malware with some changes and additions.

This approach seems to make sense. Why re-discover the wheel when another developer has already created a solution that works? Malware

Please note that there are many reasons why attackers reuse code when developing malicious software.

First of all, they save time. By copying code where possible, malware authors have more time to focus on other areas such as avoiding detection and better performance. In some cases, there may be only one way to succeed of a job, such as exploiting a vulnerability. In these cases, code reuse is essential.

A malicious dev also has the tendency to reuse effective tactics: social engineering, malicious macros and spear phishing whenever possible because they have a high success rate.

Examples malware from older code

Reaper (or of Troop IoT), first discovered in October by Check Point researchers, is a great example of malicious developers reusing and improving existing malware.

It uses the basic code from the incredibly effective botnet Mirai. The author of Reaper seems to have used Mirai as a platform on which he has created much more efficient methods of exploitation and distribution. Reaper's additions to the Mirai source code include the active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks from a simple DDoS.

Another example.

Earlier this year, the team Shadow Brokers publicly released the NSA's source code toolkit. Among the source code, many 0Day flaws that were targeted to the Windows SMB file sharing service were identified. Within a month, attackers used the source code to convert their ransomware to ransomworms for WannaCry and NotPetya attack campaigns. These new variants of our ransomware have shown us how attackers can quickly recycle new attack methods and exploit them with disastrous results.

Reuse of general attack methods

Malware code isn't the only place where malicious developers reuse source code. They also reuse generic attack methods where possible. Novice hackers, or 'script kiddies', use pre-built tools and attack methods to compensate for their lack of knowledge.

Tools like Metasploit its framework Rapid7 are ideal for legitimate security researchers who perform for customers, but also for novice hackers who have no knowledge. Rapid7 is not the only manufacturer facing this issue. The entire penetration testing industry relies on tools developed for professionals, but used by criminals just as much.

Attacking methods are also reused when the method is particularly effective.

Malicious macros εγγράφων του Office εξακολουθούν να χρησιμοποιούνται, παρά τις προσπάθειες της make them less effective. Attackers continue to use malicious macros as a method of delivering malware, mainly because it is very easy to convince the victim to run the macros.

Reusing code is a trend that is not going to stop.

Malicious coders cite many reasons why they open their work. The developer of EDA2 ransomware claims to have released his code to teach how ransomware works, while botnet author Mirai released his code as a "last resort" as he left the botnet when his attacks became too popular.

Attackers will continue to rely on previously successful malware to create more effective and destructive attacks. What we saw with NSA WannaCry and Eternal Blue will be repeated…

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).