The fight against malware has taken another angle. Cybersecurity experts found a way to detect reused malware, improving malware analysis. In this post, we will explore how new malware analysis techniques help you detect reused malware.
Why Do Hackers Reuse Code?
Cybercriminals aim to cause the most impact and the minimal possible effort. Like any other developer, they like to reuse code. When conducting malware analysis, security analysts think of malware regarding families and different strains. But, in reality, hackers are not unlike other developers. As such, most current malware recycles pieces of software from other malware. The hackers can add to it and change it a little (the modifications are probably also taken from public repositories).
Malware creators aim to work efficiently. Instead of creating a new piece of software with thousands of lines of code, they look for working segments and apply them to their software. While this can be counterintuitive for attackers, it creates a way to track the malware, but it doesn’t stop them from trying. Because, more often than not, it saves them time to do social engineering and phishing practices and create a more deadly product.
Examples of hackers’ code reuse
Shadow Brokers
This hacktivist group released exploit source code stolen from the National Security Association. The code included several zero-day vulnerabilities of the MS file sharing service. This code was repurposed by attackers into the famous ransomware attacks WannaCry and NotPetya.
EDA2 and Hidden Tear
In another case, a security researcher from Turkey published two ransomware variants, Eda2 and Hidden Tear, for educational purposes. Attackers quickly grabbed this opportunity and used this source code to create their ransomware variants.
They reuse attack methods too.
Hackers not only reuse code. They reuse attack techniques, methods, and practices. After all, if a specific attack line has worked in the past, why shouldn’t they use it again? This is most common among “script kiddies”—beginner hackers—. They will reuse attack methods to fill the gaps in their skills. Beginner hackers use the same tools used by pen testers.
Seasoned hackers also reuse methods when they are effective—for example, using malicious office macros. Criminals will also reuse social engineering tactics and spear phishing. Attackers build on the success of others to infringe more damage or exploit reused code.
How Genetic Malware Analysis detects reused code
Malware analysis is a critical method to respond to security incidents effectively. There is an innovative approach to automated malware analysis called Genetic Malware Analysis. This technology aims to provide detailed insights into any file suspicious of malware. Let’s dive into it.
What is genetic malware analysis?
Software is in constant evolution. Developers reuse code written by others. Searching for reused pieces of code that they can recognize is one of the tactics security researchers use. Looking for similarities is a tactic that has proven successful for threat analysis. For example, the WannaCry ransomware mentioned above contains code pieces related to the Lazarus threat actor group.
The problem with this approach is that doing it manually is time-consuming and requires a high level of expertise. As a result, it can only be applied to a limited number of files.
Genetic malware analysis solves these issues by automating and scaling the process. It compares the files against a database of trusted and malicious software. Since the process is automated, it only takes seconds.
How it works
At first, the system parses and disassembles files, then transforms the code into searchable tokens—the “genes”—. Like the tokenization used in search engines, the algorithm breaks the code into smaller fragments, ignoring variable names and non-essential.
After the genes are extracted, the tool compares them against a code database to detect reused code among them. The code genome database is constantly updated with cataloged malware. Once a new malware enters the code database, it is flagged to prevent attackers from reusing the code. Security teams can also use genetic malware analysis to explore the similarities in other suspicious software, like metadata, strings, resources, and more.
The capabilities of genetic malware analysis are not limited to detection. Once the system detects the malware, it creates YARA signatures based on the code. These signatures can increase the protection by identifying future variants of the malware. This feature makes genetic malware analysis signatures more effective than hash-based signatures.
Summary
Detecting malware has become a more difficult task because of the increasing complexity of malware tactics. The approach of detecting reuse code to identify malware, although clever, was very time-consuming and ultimately lacked effectiveness. By automating this process and enhancing it, new technologies like genetic malware analysis give an improved approach to malware analysis.
