How To: Security-Oriented C Tutorial 0xFF - An Introduction to Malware

Welcome to an introduction on writing basic malware, an optional sub-series in which I expose you to malware and its technologies. This is written for those who wish to seek a beginning in malware analysis or enlightenment on the subject. We will be justifying the writing and covering types of malware.

Justification

Malware is a bad thing, right? Why are we discussing the authoring of such terrible content? Why are we even thinking about it in the first place?

Malware are objects, tools if you'd like. Like all tools, they do not harm anybody in its resting state but instead, the ultimate purpose of a tool is what its handler grants it. Given a malicious user using malware, of course it will be something no one would want, especially the victim. If a non-malicious user utilizes it, it might not cause any damage. A non-malicious use of malware, you say? The incredibly popular Metasploit Framework is a tool which generates these payloads which are malware (if you did not already know). Using such malware, penetration testers are able to examine the vulnerability of a system, i.e. a non-malicious use.

But using malware is different from writing malware! Well, those who build the Metasploit Framework are able to provide its users the convenience of a packaged and readily-available set of exploits required to assess a system.

Another reason why writing malware can be justified is to create "proof-of-concepts" which is a theory to demonstrate the possible potential of infecting and/or damaging a system. Such ideas or creations can be used to identify and repair the vulnerability which allowed the intrusion.

To be able to combat malware, we must first understand how malware works, how they survive and how they behave. A good way to do this is by exposing ourselves to them just as penetration testers expose themselves to attacking machines. We must know the technology that exists which allows malware to do what they can do and from that, we will be able to familiarize ourselves with the common behaviors so that we can identify and analyze them with reverse engineering methods.

Defining Malware

Malware comes in many forms and unfortunately, not many people can differentiate them from one another. It is common for technically incompetent users to merge the entire spectrum of malware into the virus category just as they often automatically define a hacker as malicious. Although it's unnecessary for the average to understand the differences, as we will be creating them, it's best that we should so before we begin, we must be able to tell them from one another through their unique behaviors which define them under certain categories.

The following sections which define types of malware contain extracts from Reverend Bill Blunden 's The Rootkit Arsenal, Escape and Evasion in the Dark Corners of the System.

Infections Agents

Worms and Viruses are types of malware which exist to replicate. Like biological viruses, they attack parts of the infected system to allow themselves to reproduce. This is the most basic requirement to be defined under these two categories.

Worms are required to be self-propagating and "do not require explicit user interaction" meaning that they can execute without the victim needing to launch it themselves. This is what separates a virus from a worm.

Adware and Spyware

Adware are programs which display advertisements to the victim once it has been placed within the system and activated either by launching the program or having it be installed. Note that they do not necessarily have to be malicious.

In some cases, adware can cross over to a category known as spyware which are programs which tracks information of the victim "without their informed consent". This may include things such as search phrases for advertisement purposes to keystrokes for sensitive personal information.

Note: For clarification on the Windows 10 operating system tracking information of their users, it is not considered spyware because it is explicitly stated within the Privacy Statement that they may collect data, i.e. giving informed consent.

Botnets

"A botnet is a collection of machines that have been compromised (aka zombies) and are being controlled remotely by one or more individuals (bot herders)". The botnet is controlled through a Command and Control server(s) which can range from a web server to IRC channels where instructions may be deployed to each of the infected machines.

"Bot software is usually delivered as an extra payload with a virus or worm. The bot herder "seeds" the Internet with the virus /worm and waits for the crop to grow. The malware travels from machine to machine, creating an army of zombies. The zombies log on to a C2 server and wait for orders. Users often have no idea that their machine has been turned, though they might notice that their machine has suddenly become much slower as they now share the machine's resources with the bot herder."

Understanding Rootkits

Rootkits are software which conceals other files. Unlike spyware which simply attempt to hide, they are able to provide "sustained covert access", evading detection by the operating system itself or other software such as antiviruses, i.e. activity is "extremely difficult to detect".

Rootkits are unlike malware since they do not actually have any malicious intent although the file which it hides may very well be. The rootkit is solely a "force multiplier" on which malware can benefit. Think of it like a proxy. A proxy "hides" a user on the network however, whether the intent to do is malicious or not, the proxy is not malicious itself.

Conclusion

In the next tutorial, we will be creating our first basic malware. If you have yet to complete the tutorials up to and including Tutorial 0x15 - File I/O, I recommend doing so.

dtm.