Saturday, September 12, 2009

Exposing Malware - Part 1: Efficiency

Code bloat has reached epic proportions lately. The latest Windows version (Windows 7) comes on a DVD because the installation is 2.6Gb (or so) in size. Does anyone remember the days when an operating system was <100Mb? I know, I know... we've got cool graphics now, and sounds and multi-threading and preemption and other neato features... but really? 2.6Gb for an OS?!

I bring this up because this is the first part in a series of articles about malware. Malware, no matter what you call it - scare-ware, malware, adware, viruses... whatever - is malicious software that's built for the purpose of extracting money from you somehow. Here's the crazy thing about malware... once you get over the fact that it's evil you can't help but be quite impressed with the features.

First off... the programs some of these coders crank out rival anything Redmond, or just about any other shop puts out. I've recently run across a piece of software, called a packer, which at a mere 52kb (with GUI) could fundamentally make any nasty piece of code absolutely undetectable. This isn't some command-line too either, it is a fully-features, GUI-driven encryption/obfuscation utility that has an absolute cornucopia of features. I am impressed.

It seems that although your average developer seems to have lost their ability to make code efficient and small... the guys and girls writing the nasties out there are getting better and better at it. Why, you ask? Let's look at the reasons we'll cover in much greater detail in the upcoming series of posts...
  1. Stealth - If you're distributing malware, you don't want to get caught. The object of infection is to hold the machine once it's infected... and keep making money for the infector. A big part of this plan is being stealthy enough such that the code you've dropped into the host machine is not detected... this involves encryption, obfuscation and other interesting methods to be discussed later.
  2. Speed - Bloated code runs slow. Slow-running code takes longer to execute on the host, whether we're talking CPU cycles, or memory footprint... and this increases the chance that the [hopefully] resident anti-malware engine catches it. This is bad, obviously so speed-optimization is important.
  3. Efficiency - Efficient code seeks to minimize externalities, such as DLLs, libraries, config files, etc... again, decreasing the likelihood of being detected. Malware detection engines often rely on heuristics which watch processes and their behaviors... you start tripping too many externalities... you're more likely to get caught.
So the important lesson here, from people who write evil code - is to be small, efficient, fast, and stealthy. Removing the stealthy component ... why can't all code, like that which runs my operating system, be small and efficient, and fast? Perhaps there is plenty to learn here as we dig deep into the rabbit-hole of malware?


ekse said...

You are contradicting yourself Rafal, those malware pieces are small because they use services made available by the platform. Were the OS smaller, the malwares would have to implement some of these services and would then be bigger.

But granted, OS are getting huge : my Windows 7 C:\Windows folder takes 6Gb, that's a sh*tload of code.

Raf said...

@ekse: I disagree. These pieces of malware (at least the ones I've been researching) are entirely self-contained. They do not branch and pull in system DLLs, or any other resources from the OS...