Researchers have been studying coding errors in malware to determine if there are ways to leverage these vulnerabilities to prevent malware from loading in the first place.
From late 2019 to March 2021, Zscaler researchers said they performed a large-scale analysis of a data set of malicious samples that crashed in the Zscaler Cloud Sandbox.
“The purpose of this research was to find out what type of vulnerabilities exist in some of the prevalent malware families and how these can be used to stop malware infection,” explained Nirmal Singh Bhary, director of malware labs at Zscaler. “A large-scale analysis of in-the-wild malicious samples, ranging from stealers and downloaders to ransomware, was performed. We found multiple examples of malware with different types of vulnerabilities that can be used as a kill-switch.”
Bhary said in one example, a vulnerability in Oski malware, shows that a malware infection can be prevented by creating a dummy entry with an empty password in Google Chrome’s “Login Data” file. Oski, a dangerous piece of malware that emerged late last year in North America and China, can steal personal and sensitive credential information from infected users.
Zscaler studies samples of malware as a matter of course as part of their anti-malware service offering, said Michael Isbitski, technical evangelist at Salt Security. With sandboxing techniques, potentially malicious software was run within an isolated, virtualized environment using a hypervisor. Virtualization with hypervisors is useful as a sandbox, he said, because it allows multiple operating environments to be run simultaneously on the same equipment and isolate applications from each other. The researchers can then spin up virtual machines based on a pre-defined image, terminated, and restored to their original state.
“The malware research shows that even malware developers make programming mistakes,” said Isbitski, noting that Zscaler points out that malware often exhibit common application flaws such as failing to validate input or output, not handling memory buffers appropriately, or failing to handle exceptions. "These types of common programming mistakes often lead to app failures or faults, and they may also result in exploitable conditions if someone wanted to attack an application."
Theoretically, it’s possible an attacker could exploit a piece of malware present on a system just as they would target a legitimate application or API to breach an organization. "In this case, the programming mistakes made by the malware authors helped Zscaler researchers better understand malware behavior and identify families of malware," Isbitski said. "Zscaler in turn, builds signatures and detections for their antivirus and anti-malware capabilities.”
The new research from Zscaler demonstrates threat actors suffer from many of the same challenges with secure coding, said Jake Williams, co-founder and CTO at BreachQuest. Williams said the research aligns well with what incident responders dealing with ransomware over the years have observed.
“While most of the bugs highlighted in the Zscaler research will have negligible real-world impact, bugs in ransomware encryptors and decryptors absolutely do,” Williams said, pointing to bugs in encryptors that render the encrypted content completely unrecoverable even if the ransom is paid. "This is one of the many reasons that incident responders recommend only running decryptors on copies of the encrypted data. Some bugs we’ve observed are transient, meaning that the same decryptor may fail to decrypt data on the first execution, but succeed on subsequent executions.”
Bugs in code plague any developer, so it does help to demystify adversaries, knowing that they are running into the very same problems experienced by white-hat developers, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. Nikkel said these bugs may come about as a result of adversaries rushing to "get to market" before competing exploits gain widespread use, inexperience in using development best practices, or other resource constraints.
“In any case, it's an interesting premise to have more active defenses that not only recognize malware signatures, but also prevent them from spreading by taking advantage of weaknesses in their own coding,” Nikkel said. “The real problem is how to develop these capabilities in such a way that doesn't tip off adversaries to potential countermeasures. This would enable blue teams to remain one step ahead of attacks.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, said ransomware tactics are evolving at ever-increasing speed and sophistication, which means they are poised to jump on any newly-reported vulnerability or new attack surface as fast as possible. However, Everette said this does not mean that their malware payloads are not immune to errors in their code.
“Within these criminal organizations, there’s a lot of competition,” Everette said. “The ‘first to the prize’ methodology is very much in play here. This means criminal actors skip testing and proper quality assurance checks to take advantage of newly discovered vulnerabilities before they are patched."
While coding errors in malware are significant, this does not change the requirement for advanced detection and prevention of malicious payloads from cybersecurity vendors, he added. But be warned: looking for these types of errors could lead to a high number of false positives, because they ar relatively common in other software written and deployed today.
"Therefore, the best offense is to look for malicious activity itself, not for errors," Everette said.