CHICAGO -- In the past, producing a unique malware sample was a time-consuming process that required knowledge of both programming and security systems. Now, a researcher has shown how automation has revolutionized malware production, turning it into a trivial pursuit for even novice attackers.
Just click, click, and you will have your malware.
principal malware scientist, RSA NetWitness
Tuesday at the 2013 (ISC)2 Security Congress, Christopher Elisan, principal malware scientist for RSA NetWitness, gave a live demonstration of some of the tools being used to produce a record volume of "unique" malware samples. These tools are not only spawning the growing number of malware toolkits that sell for tens of thousands of dollars in the criminal underground, but they're also threatening the very existence of antivirus (AV) vendors.
During the presentation, Elisan used Zeus, the now infamous malware toolkit aimed at financial institutions, to create dozens of malware samples in a matter of minutes. He was then able to take one of the samples from Zeus and run it through another tool, SAW IV, to replicate the production rate of Zeus.
Shockingly, neither tool required any real effort on the part of Elisan. Within a minute of starting each program, both were able to quickly churn out unique malware samples that wouldn't be detected by traditional AV vendors, at least not without a signature being written for each sample.
"Zeus is very easy [to use]," Elisan said. "Just click, click, and you will have your malware."
Such malware toolkits, often called automated exploit kits, are a key reason for the exponential growth in unique malware samples reported over the last decade, with 2013 on track to shatter the mark set in 2012 by millions. According to McAfee Inc., as of April, the antimalware vendor reported that it catalogs more than 100,000 new malware samples daily, or more than one new piece of malware every second. Those figures don't even account for the malware that goes undetected.
Malware kits and 'unique' malware
The malware production process can begin with a single DIY kit, which, according to Elisan, is only limited by the amount of time it is allowed to run and the hardware on which it runs. Though each malware sample is considered unique to AV vendors, they are actually just variants on whatever malware the DIY kit produces.
This does not mean that attackers have created a never-ending arsenal of truly unique malware samples though. Instead, he cautioned that AV vendors and researchers will define a malware sample as being unique if just one small bit at the end of a hash has been changed.
"DIY kits like Zeus and SpyEye can create infinite … malware samples," he said. "To the untrained eye, it might seem like each one is completely different generation to generation, but it is actually just Zeus."
Still, AV vendors have been unable to produce detection signatures quick enough to keep up with the overwhelming volume of malware samples being produced by readily available DIY kits, such as SpyEye and Zeus. Even when a signature is produced, the modular nature of modern malware makes updating a small bit of code to throw off detection a simple task.
Tools can harden, obfuscate malware
With a malware sample in hand, attackers then feed the sample through a quality assurance (QA) process made up of a number of armory tools, including binders and antivirus scanners, that add additional features and make samples harder to detect.
Malware binders, in particular, have become an important part of the malware creation process. Binders are utilized to package malware executables with other programs, making it far more likely that a typical user will run the malicious program. Binders can even package malware with different file formats, according to Elisan.
While binders are used to fool end users, antivirus scanners such as NoVirusThanks are aimed at enabling malware to avoid detection by antivirus security products. An antivirus scanner will test a malware sample against many of the most widely used enterprise-grade antivirus products available to determine whether those products will flag the sample. NoVirusThanks has gained in popularity because it supposedly does not send submitted samples to vendors like other popular antivirus scanners.
Elisan noted that attackers oftentimes don't care whether their samples are submitted to vendors, though, as vendor researchers are already unable to keep up with the tens of thousands of samples pouring in every day from customers. By the time a vendor can deploy a signature for detection, attackers have oftentimes already deployed their malware successfully and don't care whether that particular sample is then blocked.
Malware automation: Starting point for targeted attacks
If an attacker simply wants to deploy his or her malware in the wild and rack up as many opportunistic infections as possible, the QA process ends at this point, but malware automation can also serve as a time-saver for malware authors who want to create a unique piece of malware for the purpose of a targeted attack. For those attackers that want to target a specific organization, Elisan said that malware authors will go to great lengths to ensure the success of a malware sample.
Among the examples he provided of such malware customization for targeted attacks, Elisan pointed to attackers that would actually scrawl job advertisements for the organization they are targeting; also, if an organization has an opening for a system administrator, and the job description includes knowledge-managing a specific antimalware product, attackers can make the reasonable assumption about the antimalware product in use at said organization and customize malware in ways to avoid detection by that specific product. Certain attackers have even been known to call a target enterprise about open positions, he said, and ask about the security products in use there.
With thousands of malware samples created and the QA process completed, attackers are ready to deploy their newly minted malware army. Even if an attacker is only interested in earning money off such malware, Elisan said that relatively sophisticated samples of this nature can go for anywhere between one cent and one dollar on the black market. Though this sounds like a paltry amount, the little effort now needed to create malware, combined with the rapid pace at which samples can be produced, can lead to very lucrative payouts, sometimes reaching tens of thousands of dollars in a single day.
"You can leave this running while you're on vacation, and it will create millions of samples," Elisan joked.