Malware analysts tell crooks to shape up and write decent code

Blackhats beware: reverse engineers are laughing at your buggy advanced persistent threat (APT) malware.

You've done pretty well though: your custom payloads were effective at breaking into enterprises and the damage it did was quite devastating.

But many were being found and added to anti-malware signatures all too quickly.

Take a tip from the enemy, FireEye reverse engineer Richard Wartell, who while dressed in a 'dog scientist' lab coat laughed at your mistakes at a gathering of security professionals in Washington.

"Probably the hardest APT fail I've seen are the guys who built this really impressive malware and couldn't work out why they couldn't access their backdoors," Wartell said.

Your particular piece of malware appended its evil domain at the end of file as an encoded string, and it searched file handles for a file of a specific size. You messed up however, when you changed the encoded domain making it a different length and rendering your multiple enterprise backdoors inaccessible.

The enemy: (l-r) FireEye malware engineers Matthew Graeber, Richard Wartell, and Michael Sikorski.

Another piece of APT wizardry showed your tendency to over-engineer. This "cool" piece of C++ malware contained an entire shell inside the binary which had not just a few commands, but the full suite, plus extras like ipconfig and netcat, just for kicks.

"A ridiculous amount of code to put in a backdoor," Wartell said. "The amount of time that went into this was really impressive, but whether it was necessary? Well, if you just created a reverse-shell in like 100 lines of code all of that work would be pretty much done for you."

There's a perennial maxim in cryptography that you should not roll your own. There were, as Wartell pointed out, more intelligent people than us who have developed what were our best cryptographic schemes over the last century. Yet you continued, to the reversers' glee, to roll your own weaker, buggier flavours.

Point of Sales malware is the new black and it made sense that you would work on a cash-rich target. Your kernel malware which unpacked itself before injecting shellcode into three different userland processes was impressive, especially because it crashed and vanished leaving only evil shellcode running in legitimate processes.

"It was really impressive piece kernel malware ... but it was hidden on the system in some pretty ridiculous ways," Wartell said. "First of all it was an unsigned kernel driver, and that stands out like a sore thumb, and second its service name was a random character string - probably hundreds of hours went into building this thing but now anyone could spot that name, something like 'Microsoft-random number-support'."

Don't despair, vxer, there's hope. Hope in the form of #ifdef statements.

"Do a little better, try a little harder. Wrap your stuff in #ifdef statements -- it takes like five seconds and it will get rid of the things you don't want me to see," Wartell said.

Apply the crypto maxim to packers and stop building your own "hilariously" broken code, and instead use tried and tested off-the-shelf options like Themida and VMProtect.

More fundamentally, stop being lazy programmers. Your malware was in the hands of intelligent reverse engineers more quickly than the time it took you to write it so you need to find better ways to hide. "Make it look benign, don't let it touch the disk."

You could take lesson from crimeware writers too. Those folks created less damaging malware that targeted everybody, everywhere, in a bid to hose as many bank accounts and credentials as possible. They had to hide to survive.

Some truly divergent thinking came from PhishMe senior researcher Ronnie Tokazowski. He discovered the highly complex Dyre corporate crimeware trojan last month after it was reported by a customer sniffing about cloud services, and was patiently awaiting hate mail from the author whose work was now down the toilet.

If he were an APT author, Tokazowski told Vulture South, he would chat to the crimeware authors about their obfuscation tricks. In exchange he'd share some payload tips which could make a reverse engineers' work a lot more interesting.

"APT authors don't care enough to take any of this advice," Wartell said. "All the stuff they build works, so they don't tend to care." ®

Darren Pauli travelled to Washington DC as a guest of FireEye.