Why Hackers Reuse Malware (helpnetsecurity.com) 27
Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.
There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.
There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.
Slashdot has jumped the shark (Score:1)
With this kind of utterly stupid article, Slashdot is no longer administered by anyone who gives a damn or even knows what that means.
Re: (Score:2)
Paging Ric Romero! Next do an article about how software teams like indoor plumbing.
D'oh (Score:5, Insightful)
Re: (Score:2)
Mmmm.... I don't think so.
It's not that they can't code. It's more that malware is a business. You get paid to crank out code, so you crank out code. And the great thing is that you don't need to service it past 2-3 days because nobody gives a shit about it any later.
It compiles. Ship it. Work on the next incarnation. Working a week longer means that the antivirus software can't detect your malware for 36 hours instead of 18. But in that week you could also crank out 5 more variants that can't be detected f
Re: (Score:3)
An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.
Probably also an explanation that I use the same sandwich bag for the new cheese when I've finished the old cheese. Because I cant be arsed getting another sandwich bag out of the cupboard when I've got a perfectly good one in front of me.
Why waste time? (Score:2)
Probably because if they were to rewrite whatever blocks of code they needed, they would end up with the same things; file system explorer routine; file scanner, encryptor/decryptor, anti-virus detectors, user-name scanners, event handlers for file system operations.By the time an optimizing compiler is finished, it might just end up the same code anyway. Why waste time?
Not that bacteria do any different:
https://www.newscientist.com/a... [newscientist.com]
Some even post their projects in public (Score:5, Funny)
Some malware authors even post their projects in public: https://github.com/microsoft [github.com]
Apparently anybody can submit issues, pull requests, and so on to ensure the world gets the benefit of high quality malware with all the goodness of open source.
Re: (Score:2)
Please mod parent +1 Informative.
I'd do it, if I had mod points.
(+1 Funny would also be appropriate - but I think the post deserves the "Informative" label. "Comedian" is an achievement without distinction hereabouts ... )
Re: (Score:2)
Rather makes "fingerprinting" difficult (Score:2)
That, or at least, makes it possible to say, "This code came from organization X because we found bits code that we know at some point came from said X."
This should probably be a no-brainer, but it is not usually part of the general discourse.
Re: (Score:2)
Nobody outside some TLAs gives half a fuck whether the malware is from Russia, Zimbabwe or Generistan. What we care about is that it doesn't affect us.
DaFuq? (Score:5, Insightful)
This is useful for security folks (Score:2)
I'm glad the bad guys do this. Most rootkits reuse some very old code that has a subtle effect which I can recognize immediately after I log into a system. I'll login for whatever reason, maybe to see why Apache isn't responding or whatever, and within a couple seconds I can announce "you have a root kit", without even doing anything to explicitly look for one. I hope rootkits keep using that old code forever. It makes them so easy to spot, without even looking for them, if you know what the signal is.
This is news? (Score:3)
Back 10 years ago when I was last analyzing malware for a living, we already had this phenomenon where you would find certain "tricks" in various bits of malware. Aside of packers and other attempts to keep you from spotting the malware, there have always been (commercial and free) code snippets that were widely used.
Especially today when malware is no longer an "artform" where some self appointed genius feels that urge to show the world just how clever he is, writing the n-th polymorphing worm but rather commercial software not unlike any other, the makers of said software simply don't have the luxury anymore to puzzle and tinker with it for months to get the "perfect" malware done that will thwart all your attempts to detect it for all eternity because (insert random reason here).
You have to understand how the malware business works (something our politicians fail routinely whenever they dream up some "state controlled trojan"). Unless you're spearfishing, malware business does not target anything. It's not a sniper gun. It's more a cluster bomb. Not caring what it hits. So it goes for the soft targets, the users without a clue and without sensible antivirus protection. And for them you don't need a highly sophisticated, well crafted trojan making use of multiple 0days you got from your buddy at some TLA. What you need for them is any old trick. Yes, a current AV would detect it and a well patched system wouldn't be susceptible, and 9999 of 10000 systems are not vulnerable.
But since you're targeting 100 million machines...