Do Malware Authors Dream of Original Code?

Posted on by FireEye Inc.

In the cybersecurity world, we often see the same malware being used by different attackers. Maybe the malware has been made publicly available and is easy enough to obtain. Or maybe it is being offered as a service in underground markets. Regardless of how it is acquired, a sophisticated enough actor knows they will need to tweak the malware if they want to increase the chances of a particular operation being successful. When that editing of code occurs, the malware is no longer identical to the original malware and instead becomes part of what we refer to as a malware family.

A malware family is a program or set of associated programs with sufficient “code overlap” among the members that FireEye considers them to be the same thing: a “family.” The term family broadens the scope of a single piece of malware as it can be altered over time, which in turn creates a new but fundamentally overlapping piece of malware. The most common differences FireEye sees among members of a malware family relate to configuration, command and control (C2) addresses and features.

Under the Radar

Using existing malware code has advantages: it helps reduce costs, free up resources and speed up operations. But it also has disadvantages. For one, the chances of it being identified by anti-virus or other technology is greater since it has code overlap with known malware.

The desire to remain undetected for as long as possible is likely one of the primary reasons we continue to see so many unique malware families today. Between October 2018 and September 2019, FireEye Mandiant researchers encountered 186 unique malware families (comprised of tens of thousands of malware samples). Among those, 41 percent were malware families that we had never seen before.

If It Ain’t Broke…

Despite nearly half of malware families encountered in that one-year period being new, we’re still seeing plenty of the old. Of those tens of thousands of malware samples our experts observed, 70 percent belong to one of the five most frequently seen families: BEACON, EMPIRE, TRICKBOT, SHORTBENCH and QAKBOT (it’s worth it to note that these malware families are based on open source tools with active development).

Additionally, attackers continue to use common and popular categories of malware. Of all the malware samples observed in that one-year period, 46 percent fell in the category of “backdoor,” meaning the primary function is to allow an attacker to establish control over a victim host and achieve interactive functionality such as sleep, file transfer, credential stealing, keylogging, reverse shells and process manipulation.

Other popular categories of malware include “dropper” for extracting, installing, launching or executing other malware (15 percent); “credential stealer” for accessing and stealing authentication credentials (9 percent); “point-of-sale” for theft of payment card information (7 percent); and “ransomware” for denying access until a payment is made (7 percent).

Beyond Infections

We talk a whole lot more about malware the previous year—and provide additional stats on the latest breaches and cyberattacks—in M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. We highlight all the different malware and TTPs being used at various stages of the attack lifecycle, discuss current trends such as ransomware and malicious insiders, share a case study involving the targeting of gift cards, and take a look at cloud breaches and best practices for securing cloud infrastructure.

One key statistic from the report: the global median dwell time is now 56 days, a big improvement over the 78-day global median dwell time we reported in last year’s M-Trends 2019 report.

This means that despite malware authors continuing to create new malware families to evade detections, defenders are keeping up and doing their jobs better than ever before.


Hackers & Threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community