Malware’s success relies on the ability to remain stealthy, and the authors of malicious programs go to great lengths to make that happen, while also ensuring that their identity remains hidden.
As a general rule, malware developers tend to avoid contact with security researchers to avoid stepping into the spotlight, but this rule can be broken occasionally. Having worked before with software developers, I know how keen some are about correctly presenting the capabilities of their creations. At the time, that made perfect sense, because an application’s popularity (and sometimes price) is influenced not only by the included capabilities and looks, but also by accurate reviews.
It was surprising to see there are malware developers who would come out of the shadows to voice discontent regarding a report on their “product.” However, such developers exist, and the creator of a piece of mobile malware called Bilal Bot is one example. Seeing that IBM’s report on the malware is outdated, the author decided to contact the security firm to address this.
Bilal Bot was detailed back in April, alongside other mobile malware targeting Android, when researchers suggested that it was less sophisticated than its competitors GM Bot and KNL Bot, and that it was also cheaper. Now the malware developer says that, because the product moved from the beta state it was in April, its feature list and price changed, and IBM’s report should be updated. Moreover, the developer said he was open to an interview about the malware, IBM reveals.
Usually, when a developer requests an update to a report on their software specifically to bring new features into the spotlight, it means they want to increase the buzz around the program, and this is exactly what Bilal Bot’s developer seems to have attempted here as well.
As it turns out, however, this case represents an exception to the rule, as most malware developers would rather stay in the shadows than talk to security researchers. Most don’t like the kind of publicity security reports provide, because these reports don’t allow malware developers to stay under the radar, a malware hunter said, responding to SecurityWeek inquiry.
The security researcher also told us that malware creators would leave messages in their code if they want to, but that they would normally try to avoid attention from the anti-virus/security community, because it could hurt their business. What’s more, he says, threats that make it constantly to the headlines evolve to better avoid detection, so reporting on malware could turn into a double-edged sword.
Cybercriminals would certainly use anything to increase their legitimacy, including abusing security reports as “social proof,” Heimdal Security’s Andra Zaharia tells SecurityWeek. Although it’s still surprising that Bilal Bot’s creator adopted this behavior, it’s clear that a malware developer exhibiting the characteristics of a legitimate business owner would want their product to be correctly portrayed, otherwise pricing would be impacted.
Instead of abusing news reports for fame, cybercriminals usually go quiet after security researchers report on their creations, Maya Horowitz, Group Manager, Threat Intelligence at Check Point, told SecurityWeek.
“We have seen malware disappear after our reports, as in the case of the Nuclear Exploit Kit this last spring. Most recently, we saw the Cerber ransomware developers adapt to counter our research and decryption tool. The developers even left a message to anyone using our decryption tool, saying that they had modified the malware. Usually malware developers try to lower their profile after the malware is revealed and attempt to upgrade it to avoid discovery,” Horowitz says.
However, she does agree that security reports can be abused as well, because “breaches demonstrate the malware’s efficiency.” Stuxnet, she says, is a great example of how hackers can learn from reports about other malware and implement the same tactics in their own products.
Kaspersky Lab’s Anton Ivanov, senior malware analyst, also believes that threat actors always keep an eye on security blogs to find new techniques for their malware. Thus, as soon as detailed information about a vulnerability is published, an increase in the usage of that vulnerability can be observed, he says.
Security reports, Ivanov says, tend to be bad advertising for the malware, because that malicious program becomes known to security researchers. However, he also reveals that malware developers would sometime contact Kaspersky via embedded data, “which is usually encrypted and located in some part of malware module.” These messages, he says, usually contain greetings to researchers, and one came from Angler’s developers, located in FLV exploit.
However, not all such messages are greetings, as Emsisoft Malware Lab’s researches have often discovered. Most recently, angry with the researcher’s ability to break the encryption of their ransomware called Apocalypse, the creator of this threat decided not only to include abusive comments in the malware’s code, but also to rename the malicious program to “Fabiansomware.” The coder’s hate was focused at Fabian Wosar, Emsisoft CTO and head of the company’s Malware Research Lab.
For security researchers, the fact that malware authors include abusive messages in their code comes as an acknowledgement of their work. Thus, researchers will continue to report on new and updated malware, regardless of whether developers are dissatisfied with how their malware is portrayed or are unhappy that they made it to the headline.
“We believe it’s crucial to inform Internet users, whether home users or people involved in companies, of emerging cyber threats. It’s not only about building awareness, but it’s also an essential tool to help people learn how to get protected,” Andra Zaharia said. “We believe that spreading correct and relevant information about new and improved malware is an important part of helping people become more aware of the issue and its potential impact.”
The general consensus is that while security researchers will continue to publish relevant information about discovered threats, already established malware families will continuously evolve in their attempt to avoid detection. Their developers will certainly try to stay as hidden as possible. Hungry enough for attention, newcomers might contact security researchers to point out incorrect reports, but the battle with malware remains mostly a silent one.
By Ionut Arghire