Why Hackers Reuse Malware

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Slashdot has jumped the shark

With this kind of utterly stupid article, Slashdot is no longer administered by anyone who gives a damn or even knows what that means.

Re:Slashdot has jumped the shark

[Bite+The+Pillow]

Paging Ric Romero! Next do an article about how software teams like indoor plumbing.

D'oh

[Obfuscant]

An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.

Re:D'oh

Pointless article.. this is obvious. What about the reason being that most hackers CAN'T write code? Malware and other implants have become professional grade weapons, most hackers can't even code.. so they just reuse others' code.

Re:D'oh

[Opportunist]

Mmmm.... I don't think so.

It's not that they can't code. It's more that malware is a business. You get paid to crank out code, so you crank out code. And the great thing is that you don't need to service it past 2-3 days because nobody gives a shit about it any later.

It compiles. Ship it. Work on the next incarnation. Working a week longer means that the antivirus software can't detect your malware for 36 hours instead of 18. But in that week you could also crank out 5 more variants that can't be detected for 18 hours each.

Re:D'oh

[mjwx]

An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.

Probably also an explanation that I use the same sandwich bag for the new cheese when I've finished the old cheese. Because I cant be arsed getting another sandwich bag out of the cupboard when I've got a perfectly good one in front of me.

Re:D'oh

IRT - It takes time to write code... Time is money. End of Story.

Why waste time?

[mikael]

Probably because if they were to rewrite whatever blocks of code they needed, they would end up with the same things; file system explorer routine; file scanner, encryptor/decryptor, anti-virus detectors, user-name scanners, event handlers for file system operations.By the time an optimizing compiler is finished, it might just end up the same code anyway. Why waste time?

Not that bacteria do any different:

https://www.newscientist.com/a...

"hackers"

I liked the original definition better than the AOLuser definition.

"Somebody, who hacks away at his keyboard, to tinker with a system."
No breaking in or malicious intent implied.

Burglar seems to be a much better choice for this activity.
We also don't need to invent a new term for the "cyber-" version of everything.

But please stay on my lawn. And enjoy the fresh ... coat of manure and poison.

Nicholas Cage says:

"You don't say"

Some even post their projects in public

[El+Cubano]

Some malware authors even post their projects in public: https://github.com/microsoft

Apparently anybody can submit issues, pull requests, and so on to ensure the world gets the benefit of high quality malware with all the goodness of open source.

Re:Some even post their projects in public

[thomst]

Please mod parent +1 Informative.

I'd do it, if I had mod points.

(+1 Funny would also be appropriate - but I think the post deserves the "Informative" label. "Comedian" is an achievement without distinction hereabouts ... )

Re:Some even post their projects in public

[K.+S.+Kyosuke]

Why am I not surprised that they've settled at the hub for gits?

Rather makes "fingerprinting" difficult

[forkfail]

That, or at least, makes it possible to say, "This code came from organization X because we found bits code that we know at some point came from said X."

This should probably be a no-brainer, but it is not usually part of the general discourse.

Re:Rather makes "fingerprinting" difficult

[Opportunist]

Nobody outside some TLAs gives half a fuck whether the malware is from Russia, Zimbabwe or Generistan. What we care about is that it doesn't affect us.

DaFuq?

[Snotnose]

Change the 10% that gets you into your target, reuse the 90% that's been proven to work. This is a story because.......?

This is useful for security folks

[raymorris]

I'm glad the bad guys do this. Most rootkits reuse some very old code that has a subtle effect which I can recognize immediately after I log into a system. I'll login for whatever reason, maybe to see why Apache isn't responding or whatever, and within a couple seconds I can announce "you have a root kit", without even doing anything to explicitly look for one. I hope rootkits keep using that old code forever. It makes them so easy to spot, without even looking for them, if you know what the signal is.

Re:This is useful for security folks

It's only the bad old rootkits that you notice. A good rootkit, you'd never notice.

Not me

I write new code every time. Sometimes I like to sit back after I'm done and then just delete everything and write it again just for fun.

same reason

[sucko]

slashdot does the same story over and over.

This is news?

[Opportunist]

Back 10 years ago when I was last analyzing malware for a living, we already had this phenomenon where you would find certain "tricks" in various bits of malware. Aside of packers and other attempts to keep you from spotting the malware, there have always been (commercial and free) code snippets that were widely used.

Especially today when malware is no longer an "artform" where some self appointed genius feels that urge to show the world just how clever he is, writing the n-th polymorphing worm but rather commercial software not unlike any other, the makers of said software simply don't have the luxury anymore to puzzle and tinker with it for months to get the "perfect" malware done that will thwart all your attempts to detect it for all eternity because (insert random reason here).

You have to understand how the malware business works (something our politicians fail routinely whenever they dream up some "state controlled trojan"). Unless you're spearfishing, malware business does not target anything. It's not a sniper gun. It's more a cluster bomb. Not caring what it hits. So it goes for the soft targets, the users without a clue and without sensible antivirus protection. And for them you don't need a highly sophisticated, well crafted trojan making use of multiple 0days you got from your buddy at some TLA. What you need for them is any old trick. Yes, a current AV would detect it and a well patched system wouldn't be susceptible, and 9999 of 10000 systems are not vulnerable.

But since you're targeting 100 million machines...

Why start from scratch?

Hackers reuse code all the time, this is not news. Variants of old malware go back a long time. It's not that different then what developers of Linux do for projects.
Hackers share ideals and concepts as any other developer would do. Except its done more in the dark web and not so much out in public.

Um...correction.

>Software developers love to reuse code wherever possible

You're not a real software developer, are you?

ExePackers != "bad" (far from it)... apk

See subject: They make exes hard to mess with (on disk vs. hexedit) + smaller/faster to loadup from disk on init!

* AntiVirus companies have a STUPID RULE on it - one I was falsely flagged on - was rescinded (they HAD to once I pointed out it was UTTER BS making it a 'bad thing to do' as non-malware-making coders can use it for those benefits).

Mr. Steven Burn of Malwarebytes hpHosts helped me overturn them on it by auditing my code for safety - these are the 9 that had to CLEAR ME as safe in APK Hosts File Engine 5.0++ older builds:

ArcaVir
Comodo
ClamAV
EmsiSoft
McAfee
NOD32
Norton
Qihoo360
Sophos

Yet I still had to remove exe compression (they're inflexible & WRONG doing it, no questions asked)!

APK

P.S.=> If ANYONE's WORK is subject to exploit by "the bad guys"? It's WIDELY KNOWN antiviruses are (as well as slowing the hell out of you & false positives galore) - want examples? I've got them by the BOATLOAD... apk