Why Hackers Reuse Malware

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

D'oh

[Obfuscant]

An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.

Re:D'oh

[mjwx]

An entire summary repeating standard reasons why everyone reuses code. Must be a click-bait article. Thanks.

Probably also an explanation that I use the same sandwich bag for the new cheese when I've finished the old cheese. Because I cant be arsed getting another sandwich bag out of the cupboard when I've got a perfectly good one in front of me.

Some even post their projects in public

[El+Cubano]

Some malware authors even post their projects in public: https://github.com/microsoft

Apparently anybody can submit issues, pull requests, and so on to ensure the world gets the benefit of high quality malware with all the goodness of open source.

DaFuq?

[Snotnose]

Change the 10% that gets you into your target, reuse the 90% that's been proven to work. This is a story because.......?

This is news?

[Opportunist]

Back 10 years ago when I was last analyzing malware for a living, we already had this phenomenon where you would find certain "tricks" in various bits of malware. Aside of packers and other attempts to keep you from spotting the malware, there have always been (commercial and free) code snippets that were widely used.

Especially today when malware is no longer an "artform" where some self appointed genius feels that urge to show the world just how clever he is, writing the n-th polymorphing worm but rather commercial software not unlike any other, the makers of said software simply don't have the luxury anymore to puzzle and tinker with it for months to get the "perfect" malware done that will thwart all your attempts to detect it for all eternity because (insert random reason here).

You have to understand how the malware business works (something our politicians fail routinely whenever they dream up some "state controlled trojan"). Unless you're spearfishing, malware business does not target anything. It's not a sniper gun. It's more a cluster bomb. Not caring what it hits. So it goes for the soft targets, the users without a clue and without sensible antivirus protection. And for them you don't need a highly sophisticated, well crafted trojan making use of multiple 0days you got from your buddy at some TLA. What you need for them is any old trick. Yes, a current AV would detect it and a well patched system wouldn't be susceptible, and 9999 of 10000 systems are not vulnerable.

But since you're targeting 100 million machines...