Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Go Malware is Now Common, Having Been Adopted by Both APTs and E-crime Groups (zdnet.com) 22

The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published recently. From a report: The company's findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. While the first Go-based malware was detected in 2012, it took, however, a few years for Golang to catch on with the malware scene. "Before 2019, spotting malware written in Go was more a rare occurrence and during 2019 it became a daily occurrence," Intezer said in its report. But in the new report, Golang (as it's often also referred to instead of Go) has broken through and has been widely adopted. It is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits.
This discussion has been archived. No new comments can be posted.

Go Malware is Now Common, Having Been Adopted by Both APTs and E-crime Groups

Comments Filter:
  • Stories that post a percentage change without stating numbers are not worth reading.

    • If you are talking malware or spam, percentage is the only number that makes sense. If you say we've seen 2 million instances of Go malware when last year we only saw 100k instances, you would have to also include the size of your honeypot, etc.. and even then it is basically meaningless. What should have been included though is the percentage of the total not a percentage increase. Going from 1 to 20 is a 2000% increase but might not mean much and going from 0 to 1 is an infinite increase. They did men

      • by malkavian ( 9512 )

        Nope. They're talking about strains of it. This is a distinct number, and meaningless as a percentage.
        If your base metric was that "There is one malware entity coded in Go" several years ago, then there are now 20 of them. This is still insanely rare on the Malware front.
        If your base metric was that "There are 100,000 strains of malware coded in Go" several years ago, then they're now in the millions, which is common. You're missing instances with strains, and strains is what is specifically mentioned i

        • If your base metric was that "There are 100,000 strains of malware coded in Go" several years ago, then they're now in the millions, which is common. You're missing instances with strains, and strains is what is specifically mentioned in the article.
          This type of increase is only of any merit whatsoever when absolute numbers are referred to, as otherwise there's no ability to evaluate impact. So, as the OP said, it's worthless.

          Absolute numbers are still basically worthless to anyone not in the field. 10k sounds like a lot, but is it? I don't know. If there are 1M strains of c++ then not so much. What is needed is what percentage of the total is it. If golang malware increases it's share of the total from 0.01% to 0.2% then it's probably not significant. If on the other hand it goes from 0.1% to 2% then maybe it is significant and if it goes from 1% to 20% of total malware then it is very significant.

      • If you are talking malware or spam, percentage is the only number that makes sense.

        They aren't talking about percentage. They are talking change percentage which is very different.

        Going from 1 to 20 is a 2000% increase but might not mean much

        This is why talking about a change percentage is worthless. If there was 1 in 2017 and 20 now, that is a 2,000% increase. If there 10,000 and there are now 200,000, that is also a 2,000% increase. But, the former is an insignificant change to the percentage of malware written in Go while the later is most-likely a significant change.

  • Programmers: GO is an effective systems language.
    Malware authors: GO is an effective systems language.
    Anyone surprised?
    • That would make an excellent commercial: 9 out of 10 criminals recommend Go!
    • by Entrope ( 68843 )

      I am surprised, although not shocked. Go binaries are statically linked. On the one hand, this means they don't care what distribution they run on, have minimal dependencies on kernel versions, and are immune to protections based on loading or interposing shared libraries, which is good for malware. On the other hand, every executable file needs to include all of Go's own runtime that it uses, so the executable files tend to be rather large, which is bad for malware.

      • by Junta ( 36770 )

        I think the 'don't care what libraries are there' trumps the size benefit for this application.

        Sure, 'hello world' binary grows from 17k to 2.0MB, but even that 2.0MB isn't actually too noticeable a penalty for a single piece of malware to suffer, and it can run even if the target libraries aren't quite what they were expecting.

    • Re:Not Surprised (Score:4, Interesting)

      by kot-begemot-uk ( 6104030 ) on Monday March 01, 2021 @12:46PM (#61111908) Homepage
      No. You missed the biggest reason though which has nothing to do with the one you stated.

      Go is the packager and maintainer's nightmare because of one of its other properties - in its normal mode of operation it builds a gigantic static binary. There are no dependencies, no dynamic linking. You fire up the compiled result and it "just works".

      This is the nightmare of package maintainers across all major linux distributions. They are still grappling with how exactly to fit go into their distro structure and ensure dependencies are met along with sane executable sizes, etc.

      This is the malware writer wet dream. They do not need to drag in c++ runtime, etc while still having a very reasonable size for a static executable.

      • It's not about the size, it's about having to rebuild the world every time one of compiled-in libraries has a bugfix, security or not.

  • by account_deleted ( 4530225 ) on Monday March 01, 2021 @11:49AM (#61111634)
    Comment removed based on user account deletion
  • Exploiters spend the time to try and exploit it to make a buck.
  • Going from nothing to something. Wow!

  • Go is just new and sexy. I'd bet that the a-holes that write malware would use any language that could be used to take advantage of a flaw in the underlying system. There are probably some clever enough to use COBOL to do that.

  • Poor Debian!

  • Why did the writer resort to "2,000% increase ... over the past few years?" 2000% increase says little (could be 1 to 21 strains) and "few years"? It's not just the subtitle, either, the rest of the article doesn't give any indication of the actual number either.

    That's with the source material stating early on, "In total, roughly 10,700 unique malware samples written in Go were obtained" (although the writers states that only 75%, around 8000, were actual malware), and concludes with "Looking at the specifi

You are in a maze of little twisting passages, all different.

Working...