Next Generation Malware - Just a Thought
30 November 2013





In 1983 Matthew Smith wrote the computer game Manic Miner for the ZX Spectrum. This was Britain’s first software blockbuster game. He was 17 years old when he alone wrote the game. He said in an interview in 1983, “I think it's going to get to a stage where one person can't write a whole game”. He was partly correct in his prediction. Some games are still developed by one person but in 2011 it was revealed that over 500 developers worked on the game Call of Duty. Activision publishing executive vice president Dave Stohl said, "It takes a village in this case", when referring to the number of developers involved.

Around the same time in 1981 a program called Elk Cloner was possibly the first personal computer virus to appear outside a contained development environment. Elk Cloner was written by Richard Skrenta. Since Elk Cloner we have seen a steady increase in the sophistication of malware. In June 2010 Stuxnet was discovered. It was the product of nation state sponsored development. This was one of the most sophisticated pieces of malware seen at that date. Symantec estimated that the group developing Stuxnet would have consisted of anywhere from five to thirty people, and would have taken six months to prepare. The malware community in general has also seen collaborative work. However, I don't believe we have seen anything near what large scale managed code contribution will produce in the 'malware kit' space.

Malware kits essentially allow the user to easily create targeted malware and deploy an end-to-end malware or exploit campaign. This is typically done via a GUI interface. Features allowing the selection of target, payload and type of information to be stolen are normally selected from option menus. Once the options are selected the malware kit then produces and deploys the malware campaign. Reporting features allow the user to monitor progress and success of the campaign. Other tools facilitate variants of malware to be produced thus making it difficult for anti virus vendors to maintain timely anti virus updates. Such tools are responsible for the growth of malware and the increasingly ineffectiveness of anti virus products. While an absolute essential part of a layered security defence model a leading anti-virus vendor reported that since April 2013 they detected 100,000 new malware samples daily.

I don't believe that the sophistication of Stuxnet and its development is the reserve of nation states. Nor do I believe that such sophisticated attacks will be limited to those with the skill to code or manage the development of such sophisticated malware. The future advancement of malware kits could put the sophistication of Stuxnet in the hands of anyone and everyone. Professionally developed malware kits have been available for some years now. MPack for example, an early commercial grade malware kit, came with 12 months technical support. The developers of MPack didn’t use the tool themselves but instead sold the product to generate a revenue stream. The business model around MPack and more recent malware kits is similar to that of commercial software products. You buy or rent for what you use as well as the modules and functionality you require. For example, you may pay extra for anti-virus evasion modules or encryption modules should you require them. Just like commercial software, in some instances advanced malware kits stop functioning once the rental period has expired.

What we have also seen in the evolution of malware is the separation of activities and disciplines. In the early days of malware a single person would write the code, deploy it, capture the information from the target and then personally utilise that information to perpetrate fraud in many cases. The industry then observed people writing malware and selling it for others to use. Those buying the malware then used it to steal information from individuals and business. That information would then be be sold to an end user who would use it for its final purpose, generally fraud.

Having an interest in futurology I often relate the advancement of mature areas of technology to new and developing areas technology. I always try to visualise how new and recent technologies will develop in the future. When I thought about the development of video games I thought to myself, malware is actually in its infancy compared to video games. Where will malware be in future I asked myself. More specifically, will we see malware kits with the quality and detailed engineering of full production games like Call of Duty?

Malware coders have been available for hire for some time now as have adverts to hire them. Cyber crime and malware sophistication is rapidly increasing. There is no reason to believe that underground crowd sourcing of specialist malware component development won't be a conduit to the 'next generation' of malware kits. Whether or not we see the participation of 500 developers remains to be seen but with large scale distributed development, collaboration tools, capable coders emerging in less affluent parts of the globe and tough global economic conditions, I believe the next generation of malware is on its way.

This notion of 'next generation malware kits' would deliver malware with the sophistication of Stuxnet into everyday use targeting individuals and businesses. The worrying point is that such sophisticated malware will be produced rapidly within minutes by very well engineered enterprise grade malware kits. More worryingly anyone with the inclination but not necessarily the technical skill will be able to deploy it, either for profit or just simply malicious thrill.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution