Introduction To Malware Development
What is Malware?
Malware is a type of software specifically designed to perform malicious actions such as gaining unauthorized access to a machine or stealing sensitive data from a machine. The term “malware” is often associated with illegal or criminal conduct but it can also be used by ethical hacker such as penetration testers and red teamers for an authorized security assessment of an organization.
Why Learn Malware Development?
There are several reasons why someone would want to learn malware development. From an offensive security perspective, testers will often need to perform certain malicious tasks against a client’s environment. Testers generally have three main options when it comes to the types of tools used in an engegement:
- Open-Source Tools (OSTs) - These tools are generally signatured by security vendors and detected in any decently protected or mature organization. They are not reliable when engaging in an offensive security assessment.
- Purchasing Tools - Teams with larger budgets will often opt to purchase tools in order to save time during engagements. Similar to custom tools, these are generally close-source and have a better chance of evading security solutions.
- Developing Custom Tools - Because these tools are custom-built, they have not been analyzed or signatured by security vendors which gives the attacking team an advatage when it comes to detection. This is where malware development knowledge becomes paramount for a more successful offensive security assessment.
What Programmin Language Should Be Used?
Technically speaking any programming language can be used to build malware such as Python, PowerShell, C#, C, C++ and Go. With that being said, there are a few reasons that some programming languages prevail over others when it comes to malware development and it usually boils down to the following points:
- Certain programming languages are more dificult to reverse engineering. It should always be a part of the attacker’s goal to ensure defenders have limited understanding as to how the malware behaves.
- Some programming languages require prerequisites on the target system. For example, excuting a Python script requires an interpreter present on a target machine. Without the Python interpreter present on the machine, it is impossible to execute Python-based malware.
- Depending on the programmin language the generated file size will differ.
High-Level vs Low-level Programming lanugages
Programming languages can be classified into two different groups, high-level and low-level.
- High-level - Generally more abstracted from the operating system, less efficient with memory and provides the developer with less overall control due to the abstraction of several complex function. An example of a high-level programming language is Python.
- Low-level - Provides a way to interact with the operating system at an intimate level and provides the developer more freedom when interacting with the system. An example of low-level programming language is C.
Given the previous explanations, it should become clear why low-level programming languages have been the prefered choice in malware development, especially when targeting Windows machines.
Windows Malware Devlopment
The Windows malware development scene has shifted within the past few years and is now focused on evading host-based security solutions such as Antivirus (AV) and Endpoint Detection and Response (EDR). With the advancement in technology, it is no longer sufficient to build malware that executes suspicious commands or performs “malware-like” actions.
Malware Development Life Cycle
Fundamentally, malware is a piece of software designed to perform certain actions. Successful software implementations require a process that’s known as the Software Development Life Cycle (SDLC). Similarly, a well-built and complex malware will require a tailored version of the SDLC refferec to as the Malware Development Life Cycle (MDLC).
Although the MDLC is not necessarly a formalized process, it is used in MalDev Academy to give the readers an easy way to understand the development process. The MDLC consists of 5 main stages:
- Development - Begin the development or refinement of functionality within the malware.
- Testing - Perform tests to uncover hidden bugh within the so-far developed code.
- Offline AV/EDR Testing- Run the developed malware against as many security products as possible. It’s important that the testing is conducted offline to ensure no samples are sent to the security vendors. Using Microsoft Defender, this is achieved by disabling the automated sample submissions & cloud-delivered protection option.
- Online AV/EDR Testing - Run the developed malware against the security products with internet connectivity. Cloud engines are often key components in AVs/EDRs and therefore testing your malware against these components is crucial to gain more accurate results. Be cautious as this step may result in samples being sent to security solution’s cloud engines.
- IoC (Indicators of Compromise) Analysis - In this stage, you become the threat hunter of malware analysis. Analyze the malware and pull out IoCs that can potentially be used to detect or signature the malware.
- Return to step 1.