Thursday, August 23, 2007

the beneficiaries of malware kits

this is a little on the stale side (sometimes things just take a while to get done) but i was reading an article on dancho danchev's blog about the shark 2 diy malware kit and something struck me...

it's clear that malware kits benefit the less technically sophisticated attackers by making easy to for many people to create many new pieces of malware that no one has ever seen before (assuming no one else chose exactly the same options, which actually seems unlikely)... it's also clear that enabling these profit driven versions of script kiddies can serve to draw attention away from the activities of the more sophisticated cyber criminals but would you believe anti-malware companies can benefit too?

if you look at how well malware creation kits have fared in the past it becomes clear that malware produced by a kit doesn't provide much of a challenge... this isn't because the malware doesn't have great features that would serve conventional malware well in the wild, it's because it came from a kit and the kit itself became known... as an example, back in the day i spent some time (a couple weeks maybe?) observing a group of self-proclaimed virus writers whose entire stock of viruses were created using the nrlg virus creation kit - each and every one of them detectable, but not as distinct and individual viruses like you might expect, rather as nrlg generated viruses... the thing about generated malware is once you know the generator you can predict and recognize all of it's output so that even if some twit goes to the trouble of creating 5,000 vcl/nrlg/whatever variants it poses no real problem for the av vendors...

now the newer kits like this shark 2 diy kit are professionally made and updated frequently and you may think that would make things harder for the anti-malware vendors, what with there being multiple versions of the kit to have to deal with... consider how many different pieces of malware could be generated with all those different versions of the kit, however, and you'll soon see that adding detection for the output of the different versions of the kit is faster/easier than analyzing each piece of output and adding detection for it individually...

so not only do kits optimize ease of malware creation, they optimize ease of mitigation as well... let this be a lesson to all you less skilled malware profiteers out there - if you can't make malware yourself then go find something else to do because all the stealth and anti-debugging tricks in the world aren't going to help a piece of malware generated by a known algorithm... in the end you're probably just being used as a smokescreen by people with more technical expertise than you...

0 comments: