Friday, September 16, 2011

Malware Evolution

a piece of the puzzle #DefCon19, originally uploaded by bR!@n.

The news and discoveries under the Stuxnet attacks have practically opened the gates to a whole new generation of malware. It has shown complexity, technique, and most importantly intent that has never been observed before in the antivirus industry. It, most probably has, given birth to the term APT.

Malware History

Back in the days of DOS, computer security was as easy as keeping your computer lab doors locked. Computers played very minimal part in our lives and businesses and was seen as just a tool for crunching numbers or drafting and printing out documents. But nevertheless, this simple setting has produced the very first types of malware that we can still see today; trojans and viruses.

Trojans are programs often intended to do malicious things on your computer. Back in the day, malicious intent on a computer just means showing annoying stuff on screen providing the malware writer bragging rights for the world to see.

During these times, these machines are mostly isolated and access is limited to people around its vicinity. The virus is the first type of malware to exhibit propagation capabilities. It is a complex program that is able to attach itself to another program without destroying the host, thus the name virus. With this capability, it is able to spread to different computers without the user's knowledge. Every time the host program is executed, the virus code is executed as well, enabling it to infect other files and deliver its payload.

The DOS era has seen very few malware compared to their numbers today. Viruses, specifically, are limited simply because they are very hard to code. Creating just a single virus will take skill and dedication, not to mention the needed advance knowledge in binary file structure and operating system intricacies.

Windows, The Internet, and Electronic Mail

With the dawn of Windows came the rise in popularity of High Level Languages. Computer Science became a popular subject and the software industry became a big business. Suddenly, computers started playing bigger roles in our everyday lives and one of their major contributions was their part in improving communications.

The internet has made sharing information faster. It also brought electronic mail to the masses and with email came spam and worms. This new method of propagation by means of email has given the malware writers the ability to spread their malicious programs faster and farther, reaching thousands of computers in different parts of the world in just seconds. The number of malicious software multiplied because of the boom of Computer Science. High level programming languages are easier to learn compared to the assembly machine language and more people started coding.

More and more computers started to get connected to the internet and thus more endpoints are accessible to attackers. One other type of malware that was created to take advantage of this interconnectivity is the backdoor. Backdoors have basically one mission, to install itself in computers and give control to the malware writer. Once in control, the attacker can do anything in the system from stealing information, to accessing the local network. Given worms and backdoors, attackers now have the basic tools for hacking.

Web 2.0

As the internet grew, it became largely available to everyone and with Web2.0 (internet content by the users) more and more people started going online on a regular basis. Websites became the next big thing and scripting was put on the spotlight being the dominant programming language used on the internet.

With its popularity, websites became a major delivery vector for the modern malware. Drive-by infections and cross-site scripting were effective enough that even users just surfing the internet get infected by viewing websites. Malware delivered through these techniques came to be known as web threats.

A grey area in the malware landscape, at some point, also started to popup, giving rise to adwares and spywares. These two types of malware were initially seen to be not as harmful as the other types; adware being a script or program displaying ads on your computer and spyware being a monitoring application that sits in the background sending information to servers about your computer use habits. But eventually they were proved to be unwanted programs by users and were categorized as greyware.

Organized Cyber Crime

With all of these different types of malware coming out, people would think that the antivirus industry has already got their hands full. But things are just starting to get organized in the malware writing community. Blended threats. The bad guys suddenly decided to work together and combine these different malware techniques. We no longer see individual malware files, but multi-component malware infections. We suddenly encounter malware infections that arrive through a drive-by, propagates through the local network by a virus installing each infected computer with a backdoor, which then sends out worm emails to every person in the local address book. All of these actions hidden to the user by a rootkit component.

People started seeing profit in the malware business. It is no longer about bragging rights, but getting rich. They start to invest money, people, and skills. These efforts produced the different packers and malware kits that gave the malware community the abilility to speed up malware creation and multiply the number of malicious files exponentially. They started to mass produce much like a business factory, giving the antivirus community one big headache.

Advanced Persistent Threats

Now we are at the dawn of a new malware breed. The next stage in its evolution. After organized cyber crime, the underground malware organizations are now starting to get hired.

Before, they earn money by spreading their malware to as many computers as possible, installing backdoors, which came to be known as BotNets. They are then free to steal information from the infected machines like usernames, passwords, telephone numbers, etc. and sell them on the black market to the highest bidder.

But nowadays, they are starting to take a role more like of an assassin. Why would they take their chances in malware propagation, when money is sure when you get hired to do a single job? One task to do, one target, and they get paid. This is the concept of a targeted attack.

Now, underground organizations are honing in on this milk cow and they are continually improving on their craft, making the new generation of malware more dangerous. They have one task to accomplish. They are focused and most probably will stop at nothing until they finish the job. The name gives a clear definition to what type of malware we are dealing with today: Advanced Persistent Threats.


These are not your ordinary programs coded by a lonesome engineer. These bad boys are assembled components much like how big programming companies are making their software. Every component is crafted by a team with high specialization on the specific task of the component, be it a rootkit module, the propagation module, or the payload.

The "advanced" term also doesn't just pertain to the malware creation process. It can also describe the amount of research and planning involved in executing the attack. Identifying entry points, the kind of security the target has, what parts are vulnerable, etc. Everything done is for the purpose of achieving the goal. The difficulty this brings is that almost nobody knows what the end goal is until they start doing it.

Everything they do is for one goal. They will never stop until it is accomplished. Probably because they will not get paid otherwise, if they're the underground malware organization. If they are not doing it for money, then they will just have the same, if not more motivation. Their plan A will always have plans B and C and they will have multiple attempts at an attack as long as they know they've not been found out.

Of course, the threat part is the actual payload. This type of malware attack will always have a harmful intent towards its target and thus will always be considered a threat.


With the evolution of malware threats over the years, no one could have predicted that it can go this far. The changes that were seen in their different generations are just proof that they evolve along with the advancements in computer technology. Though they differ in technique, they do have one thing in common; they will always need a target. And one observation that can be seen throughout its history is that the malware goes wherever its target's entry point is; from file infection, to email, to websites, and now even mobile devices.

As we continue to use technology in our daily lives, there will always be the risk of infection and malware files will continue to exist. It will always be there to remind us that security should not be taken lightly. They will continue to evolve and adapt, as long as they can find vulnerabilities in our technology that can be compromised.

1 comment: