6/18/2013
12:52 PM
Connect Directly
Twitter
RSS
E-Mail

Slide Show: 10 Ways Attackers Automate Malware Production

Peeking into an attacker's toolbox to see how malware production is automated and the Internet is flooded with millions of unique malware applications




A full field of malware creation tools has enabled attackers to transition from manually creating single-use and easily defeated malware to developing an automated production line to develop an "army of armored malware" to carry out attack campaigns, says Christopher Elisan, principal malware scientist for RSA NetWitness. Author of Malware, Rootkits & Botnets: A Beginner's Guide and a longtime malware reverser, Elisan recently offered up an extended explanation of how the process works. By using DIY malware kits like Zeus Builder, attackers with very little programming experience can create nearly infinite numbers of malware variants. From there, they can develop both protection from penetration and further variation of samples by running them through armoring tools, such as packers, crypters, and joiners. And once that process is done, they can develop automated quality assurance by running the variants through tools that lean on various AV engines to ensure that the malware remains undetected. It's a process that "basically killed AV," Elisan says and one that depends on tools like the ones outlined here.

Tool: Spy Eye

Tool Type: DIY Kit

How They're Using It: "The main idea of DIY kits is you don't need to have assembly language skills or any programming skills for that matter to create your own malware," says Elisan, who explains that these kits have actually been evolving for the better part of two decades since a 15-year-old created Virus Creation Lab (VCL) in 1992. Spy Eye is one of the first well-used kits of the modern era to use advanced features, such as encryption, and offer it in an easy GUI.

Image Credit: Christopher Elisan/RSA


Tool Type: DIY Kit

How They're Using It: The mother of all DIY crimeware kits, Zeus is pretty self-explanatory, says Elisan, who says it takes only about three minutes to create upward of 60 malware samples through Zeus builder's GUI interface. "That's how easy it is to create malware in these next-generation kits," he says.

Image Credit: Christopher Elisan/RSA


Tool Type: DIY Kit

How They're Using It: Last week news broke of Microsoft bringing court action against a number of bot herders and the unnamed creator of Citadel, a very popular DIY tool derived from Zeus that's making the rounds in the underground. While Microsoft took down a number of malicious servers connected with Citadel, experts say it has only made a temporary dent in the Citadel ecosystem.

Image Credit: Sophos




Tool Type: Packer

How They're Using It: "When it comes to conducting an attack, attackers don't rely on DIY kits to protect their mechanism of attack," Elisan says. "They add more armoring to their malware."

Among those in that field are packer tools such as UPX, which comes in a command line or easy-to-use GUI format that will take a piece of malware and hide it in plain sight through compression.

Image Credit: Christopher Elisan/RSA




Tool Type: Crypter/Packer

How They're Using It: Many armoring tools take packing to the next level by adding a higher level of cryptographic obfuscation to better evade anti-malware detection.

"This one has other options, like compressed resources and crypt executables, or you could actually add anti-debugger or anti-cracking," Elisan says. "This is good to beat reverse-engineering. Because the more time it takes for the researcher to probe the malware, the better it is for attackers."

Image Credit: Christopher Elisan/RSA


Tool Type: Crypter Service

How They're Using It: The software-as-a-service trend (SaaS) has impacted the world of malware industrialization as much as the rest of the legitimate IT world. Some armoring tools are not software run on the system but instead are available online. This particular site was once run free with the condition that its owners could freely use malware encrypted by it. Now it is offered through paid licensing.

Image Credit: Christopher Elisan/RSA


Tool Type: Joiner/Binder

How They're Using It: A file joiner or binder combines malware together with a benign file to make it easier to spread.

"What happens is they take a very popular app or program and join their malware with that program," Elisan says. "The main idea here is to make that file enticing to the user."

Image Credit: Christopher Elisan/RSA


Tool Type: Joiner/Binder

How They're Using It: Based on almost the same concept as File Joiner, this one has a few extra bells and whistles and a different GUI. The similarities highlights how often new tools are rolled out in the underground through derivation and out-and-out theft from other existing tools.

Image Credit: Christopher Elisan/RSA


Tool Type: Malware QA

How They're Using It: This piece of software is based on cracked versions of AV engines to give attackers assurance that their malware will make it through the latest scanners.

"They actually kill some of the features that would conflict with the other AV engines," Elisan says of the cracking process. "The downside is that sometimes the dynamic capabilities of the engines are disabled so having this tool can help them, but it's not a silver bullet for them."

Image Credit: Christopher Elisan/RSA


Tool Type: Malware QA

How They're Using It: Attackers also use SaaS for quality assurance. NoVirusThanks is particularly popular as a cloud service for the bad guys because it contains an optional tick box that gives them the choice to not have the service distribute the sample being tested. That would be bad for the long-term competitiveness of the malware in question. Image Credit: Christopher Elisan/RSA

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service