Black hat trickery switched around to boost security defenses
The multiple bugs and coding errors in malware offer defenders a means to create better defenses.
This is according to a team presenting at the Virus Bulletin conference last week whose research suggests the tables can be turned on malicious actors to further web security.
Malware authors often take advantage of vulnerabilities in software packages and flaws in security products to plant malware on vulnerable systems.
New research from cloud security firm Zscaler, presented at the recent VB2021 conference, turns that approach on its head by exploiting bugs and coding errors in malware code to thwart infections by assorted botnet agents, ransomware, and trojans.
Typically bugs in malware code cause the malicious software to crash and arise from multiple causes, Zscaler discovered.
Sometimes malware doesn’t validate the output of a queried API or are unable to handle different types of C&C (command and control) response.
Authors often develop malware according to their local environment and don’t consider other techniques, e.g ASLR (Address Space Layour randomisation), DEP (Data Execution Prevention), required to load modules in malware which cause them to crash.
Zcaler’s research is based on a large-scale analysis of a data set of malicious samples that crashed in the Zscaler Cloud Sandbox between late 2019 and March 2021, so it builds on previous work by systematically looking for flaws in a large sample of real malware over an extended period.
Dr Nirmal Singh Bhary, director of the malware labs at Zscaler, told The Daily Swig: “The malicious samples that we analyzed were from in-the-wild infections. Focus of our research was to find vulnerabilities that can be used to prevent infection on the client side or can be used as a kill switch.”
The research team discovered that vulnerabilities in malware not only typically persist in malware families for a long time but offer a means for security researchers the find the Achilles Heel of malware strains.
“An example of a case study that we mentioned in the research paper is Vidar malware,” Dr Bhary explained. “This malware steals different types of information from the infected system, but a specific registry key can be created to prevent the infection.”
More examples of the research can be found on the conference website.