Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Privacy Programming Technology

Why Hackers Reuse Malware ( 27

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

This discussion has been archived. No new comments can be posted.

Why Hackers Reuse Malware

Comments Filter:
  • by Anonymous Coward

    With this kind of utterly stupid article, Slashdot is no longer administered by anyone who gives a damn or even knows what that means.

  • D'oh (Score:5, Insightful)

    by Obfuscant ( 592200 ) on Monday November 20, 2017 @07:38PM (#55591277)
    An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.
    • by mjwx ( 966435 )

      An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.

      Probably also an explanation that I use the same sandwich bag for the new cheese when I've finished the old cheese. Because I cant be arsed getting another sandwich bag out of the cupboard when I've got a perfectly good one in front of me.

  • Probably because if they were to rewrite whatever blocks of code they needed, they would end up with the same things; file system explorer routine; file scanner, encryptor/decryptor, anti-virus detectors, user-name scanners, event handlers for file system operations.By the time an optimizing compiler is finished, it might just end up the same code anyway. Why waste time?

    Not that bacteria do any different: []

  • by El Cubano ( 631386 ) on Monday November 20, 2017 @07:56PM (#55591383)

    Some malware authors even post their projects in public: []

    Apparently anybody can submit issues, pull requests, and so on to ensure the world gets the benefit of high quality malware with all the goodness of open source.

    • by thomst ( 1640045 )

      Please mod parent +1 Informative.

      I'd do it, if I had mod points.

      (+1 Funny would also be appropriate - but I think the post deserves the "Informative" label. "Comedian" is an achievement without distinction hereabouts ... )

    • Why am I not surprised that they've settled at the hub for gits?
  • That, or at least, makes it possible to say, "This code came from organization X because we found bits code that we know at some point came from said X."

    This should probably be a no-brainer, but it is not usually part of the general discourse.

    • Nobody outside some TLAs gives half a fuck whether the malware is from Russia, Zimbabwe or Generistan. What we care about is that it doesn't affect us.

  • DaFuq? (Score:5, Insightful)

    by Snotnose ( 212196 ) on Monday November 20, 2017 @08:43PM (#55591587)
    Change the 10% that gets you into your target, reuse the 90% that's been proven to work. This is a story because.......?
  • I'm glad the bad guys do this. Most rootkits reuse some very old code that has a subtle effect which I can recognize immediately after I log into a system. I'll login for whatever reason, maybe to see why Apache isn't responding or whatever, and within a couple seconds I can announce "you have a root kit", without even doing anything to explicitly look for one. I hope rootkits keep using that old code forever. It makes them so easy to spot, without even looking for them, if you know what the signal is.

  • by Opportunist ( 166417 ) on Tuesday November 21, 2017 @08:53AM (#55593897)

    Back 10 years ago when I was last analyzing malware for a living, we already had this phenomenon where you would find certain "tricks" in various bits of malware. Aside of packers and other attempts to keep you from spotting the malware, there have always been (commercial and free) code snippets that were widely used.

    Especially today when malware is no longer an "artform" where some self appointed genius feels that urge to show the world just how clever he is, writing the n-th polymorphing worm but rather commercial software not unlike any other, the makers of said software simply don't have the luxury anymore to puzzle and tinker with it for months to get the "perfect" malware done that will thwart all your attempts to detect it for all eternity because (insert random reason here).

    You have to understand how the malware business works (something our politicians fail routinely whenever they dream up some "state controlled trojan"). Unless you're spearfishing, malware business does not target anything. It's not a sniper gun. It's more a cluster bomb. Not caring what it hits. So it goes for the soft targets, the users without a clue and without sensible antivirus protection. And for them you don't need a highly sophisticated, well crafted trojan making use of multiple 0days you got from your buddy at some TLA. What you need for them is any old trick. Yes, a current AV would detect it and a well patched system wouldn't be susceptible, and 9999 of 10000 systems are not vulnerable.

    But since you're targeting 100 million machines...

... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"