Threat Research & Response Blog
I believe the Internet is pretty awesome. Full of win some might say. Controversial viewpoint I know, but I’m cool like that.
Of the many varied side-effects of the Internet, I would argue one of the most interesting (if only from a social-science point of view) is the ability for the Internet to influence people on such a large scale; that trends take hold and spread at a much faster rate than they ever could have before. At one stage in our technological evolution television was the dominating force swaying the masses, before that it was radio; as more and more people jack in to the net for extended periods, an increasing portion of that influence will be derived from their time online. But I digress…
Malware is not immune to this phenomenon. It doesn’t take very long for malware to emerge and begin targeting or taking advantage of a new trend. Innovation is everywhere it seems. An obvious example may be online banking. An entire sector of Internet crime emerged once the ability to make real money scamming people was made available. Online games are another, more obscure, example. However it’s not just the modus operandi of malware that changes over time, the method by which it goes about its business changes too. Floppy Disk, IRC, Email, Networking & Shares, Peer-to-Peer, Remotely Exploitable Vulnerability, Instant Messaging and now Social Networking have (in approximate evolutionary order) been, at one time or another, the dominant methods by which to infect users.
In a similar way (…that might seem like quiiiiite a logical leap but go with me on this) the preferred programming language and/or platform that is popular at one time or another changes too. This is in a general sense, since certain locales tend to have a definite ‘favorite’ programming language. For example, in my experience South America has been predominantly Delphi, China is Delphi and C-based whilst Indonesia seems to be mostly Visual Basic. Regardless of the programming palette of the local malware authors, their technical tastes on a global scale trend together towards similar points (no doubt this is due to the malware forums and IRC channels that influence many who frequent there). At this stage, I’d say that point is firmly pinned to the behind of the Interpreted Language donkey.
Interpreted languages are all the rage with the kids nowadays… I mean, what with their “walk-mans” and “hip-hop”. I blame the parents. The kids, they like the social networking too you see. With all their spaces and facial books and such. And so, joy of joys, I was lucky enough to stumble across the culmination of these two facets of evolving trends this week; a fully functioning, multi-component, social-networking exploiting family of malware, written entirely in AutoIt: Win32/Cypaux.
Now, Win32/Cypaux isn’t particularly innovative in its approach. I mean, make some fake email accounts here, spam some people on social-networking site there, throw in some downloading, web-server and ad-clicking components for good measure and whammo - you’re just another malware author. Golf claps all round. What strikes me more is how cliché it is. If someone were to ask me what the cheesiest malware would be that I could conceptualize, it would definitely be composed of social-networking functionality and an interpreted language of some sort.
I suppose there aren’t points for originality with these things.
Matt McCormackMMPC Melbourne