The dramatic increase of malware over the last five years might lead people to believe the Internet is being flooded by new malware. But, the reality couldn’t be further from the truth. Yes, there’s a ton of malware out there, but most of it is actually a Frankenstein-version that consists of chunks of code that have been pieced together from existing malware or publicly released vulnerabilities and tools. Marc Laliberte, one of WatchGuard’s threat analysts, recently wrote a column for Help Net Security explaining why hackers are so keen to recycle malware.
In short, he explains that hackers reuse malware code because it saves time and lets them focus on other ways to improve their malware, such as code obfuscation and detection avoidance. Hackers also reuse many attack methods like spear-phishing and malicious macros because they’re effective. And, there are many examples of prominent pieces of malware that are recycled or based on earlier strains. For example, here’s an excerpt from Marc’s article where he discusses the Reaper botnet.
(Reaper) borrows basic code from the incredibly effective Mirai botnet. The author of Reaper appears to have used Mirai as a platform, on which they built much more effective methods for both exploitation and launching attacks. Reaper’s additions to the Mirai source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS.
Hackers will also incorporate exploit code into their malware when it’s made public. Some of the exploits from the NSA dumps, carried out by the self-styled hacking group Shadow Brokers, were used in the NotPetya and WannaCry ransomworms less than a month later. Hackers also regularly use publicly released code intended for the security research community (such as the EDA2 and Hidden-Tear ransomware) and security pen testing tools like Mimikatz and Metasploit.
Want to learn more about malware reuse? Read Marc’s complete article on Help Net Security or learn more from this other recent Secplicity post.