BSides LV Life’s tough as a malware developer. If the cops or Feds don't collar you, your fellow scumbags will screw you over – or perhaps both will happen.
In a presentation at the Bsides Las Vegas hacking conference today, Winnona DeSombre, an analyst at threat-intelligence biz Recorded Future, detailed a year-long probe into dark and public web forums and chat rooms where malware writers hang out. What she saw, during the course of the investigation that ended May 2019, was a constant fight between people who write malware and those who crack it and sell it on themselves or just give it away.
Software nasties are pirated by crooks and redistributed just like legit applications, in other words. Malware development is not immune to piracy.
“Piracy is bad, you should never do it,” said DeSombre, somewhat tongue in cheek, as she explained how it‘s causing a headache for malware authors.
By way of example, she laid out the rise and fall of a trojan called AZORult, which harvests passwords, cookies, web browsing histories, and other personal data from infected Windows computers. It is typically used as a second stage – ie: it’s deployed once a computer is already compromised to thoroughly vacuum up information. AZORult could be purchased from its creator, and proved so popular that pirates weighed anchor and sailed off with a cracked version of it.
The first bootleg versions started to appear a few months after the initial release, when parts of the source code leaked. The original creator updated the software, adding new features and faster data exfiltration, but the pirates moved in again and released their own updated version, and finally the original seller quit the market.
Confession: I was a teenage computer virus writerREAD MORE
Cracked malware, as you can imagine, was rather popular on these underground forums, DeSombre said, and cut into the sales and revenue of professional malware writers who treated their malicious code to regular feature updates, bug fixes, and user support.
She also noted that malware writers exploit the media to push their products. She revealed forum postings advertising software nasties that linked to articles by security journalists reporting on that very malware. The developers of the devilish code hoped to use the news coverage to show off their creations' influence and power. It was all part of the buzz-generation machine malware sellers used to flog their software.
Another popular tactic by malware vendors is search engine optimization (SEO). Sellers crafted packages or bundles of malware for SEO purposes, listing off as many components as possible to catch all the keywords and appear high in search results, even adding free code to sweeten the pot. It was, and still is, all about selling code to script kiddies as quickly as possible.
You may be interested to know that a lot of the ransomware, trojans, and similar gremlins discussed by hacker forums are old, in some cases more than three years old, and are defeated by installing the latest security patches from operating system vendors and other software makers. In other words, aging file-scrambling malware that rely on vulnerabilities for which patches have been available for months or years are pwning victims, and not elite zero-day-exploiting tools fresh out of the compiler.
A case in point is the njRAT trojan, which first surfaced in 2012. Despite its age, and the fact that most antivirus software kills it on sight, the malware is still immensely talked about and sold online.
“njRAT, for some reason, is going to be popular until the end of time,” DeSombre noted. ®