Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publically released vulnerabilities and tools).
This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy – which can create a more dangerous final product.
There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer.
Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.
Examples of hackers reusing and improving existing malware
The Reaper (or IoT Troop botnet), first discovered in October by researchers at Check Point, is an excellent example of hackers reusing and improving existing malware. It borrows basic code from the incredibly effective Mirai botnet. The author of Reaper appears to have used Mirai as a platform, on which they built much more effective methods for both exploitation and launching attacks. Reaper’s additions to the Mirai source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS.
Here’s another example. Earlier this year, a hacktivist group known as the Shadow Brokers publicly released exploit source code stolen from the NSA. Among the source code were several zero-day vulnerabilities targeting Microsoft Windows’ SMB file sharing service. Within a month, attackers repurposed the leaked source code to turn ransomware into ransomworms in the WannaCry and NotPetya attack campaigns. These new ransomware variants showed us how attackers can quickly recycle new attack methods and exploits with devastating results.
Last year, a Turkish security researcher published two open source ransomware variants, EDA2 and Hidden-Tear, for educational purposes. As one might expect, attackers quickly used the source code to create their own ransomware variants within weeks of its initial release including RANSOM_CRYPTEAR, Magic Ransomware, and KaoTear. These variants mostly used the same base encryption process, changing only the ransom note, command and control connection, and in some cases the propagation routines. This illustrates how quickly hackers can repurpose public code for their own benefit.
Reusing general attack methods
Malware code isn’t the only place where hackers re-use code. They also reuse general attack methods wherever possible. Beginner hackers, or ‘script kiddies’ as they are usually called, rely on pre-built tools and attack methods to make up for their own lack of knowledge. Tools like Rapid7’s Metasploit framework are great for legitimate security researchers performing penetration tests for clients, but also loved by novice hackers that are up to no good. Rapid7 isn’t the only manufacturer to face this conundrum; the entire penetration testing industry is built on tools that are developed for professionals, but used equally by criminals. Ultimately, there is a legitimate need for penetration testing tools by security professionals, which means they are here to stay.
Attack methods are also reused when the method is highly effective. Malicious office document macros have been around since seemingly the beginning of time and are still in use today, despite efforts by Microsoft to make them less effective. Attackers continue to use malicious macros as a method for malware delivery primarily because it’s easy to convince a victim to let the macros run.
Code reuse is a trend that isn’t going to stop any time soon, if ever. Malware and attack code authors cite many reasons for why they open-source their work. The developer of the EDA2 ransomware claims he released his code to help teach how ransomware works, while the author of the Mirai botnet released his or her code in a “last hurrah” as they exited the botnet industry after their attacks earned them too much notoriety.
Attackers will continue to build on the past successes of others to create more effective and devastating attacks. Exploit reuse, like what we saw with WannaCry and the NSA Eternal Blue zero-days, will remain popular for attackers as long as effective exploit code is continuously made public.