Malware has plagued computing for the last three decades. Over time two industries formed; The Anti-Malware companies trying to prevent and detect the code being developed by the Malware authors who market their services to spammers, rogue nations and organized crime. Both industries are very lucrative and both are well funded. This post focuses on the malware authors, their motives and the designs used in their trade.

In todays malware environment there are two distinct architectures used by the malware authors to create revenue. At the most basic level there are a series of steps that the malware author might code for:

1. Exploitation – utilizing a vulnerability in the software on the target systems to gain the capability to execute a payload
2. Infection – executing the malware payload.
3. Control – gaining privileges or control of the target system
4. Persistence – installing code or functions that allow the payload to continue to function and prevent removal
5. Obfuscation – hiding the presence of the malware to prevent detection and subsequent removal.
6. Propagation – continuation of the infection life-cycle by exploiting other targets.

All malware work on one or more (or even all) of these stages. The trend lately in the malware community has been to modularize the stages to give the users of the code the ability to swap malware components to increase the effectiveness of their campaigns.

Many of the in-the-wild malware packages are made of four components – an exploit module, a dropper, a rootkit and a virus, trojan or botnet client. This type of packaging covers all the stages of the lifecycle and can be dynamically updated after the initial infection by way of a phone-home or command and control function. The exploit only needs to be viable for the initial infections, after which it can be updated or replaced with newer exploits as they are discovered. The malware droppers which carry and conceal the payload are either executed immediately upon exploitation or are installed after a rootkit infection. These droppers can contain many different pieces of malware and are very effective at hiding their contents from anti-virus software. The rootkit component will determine how persistent the infection will be – the latest and greatest rootkits can be extremely difficult to detect and remove, sometimes requiring a complete re-imaging of the computer to wipe all remnants of it out.

The virus/trojan/botnet component of the package is the true payload, it is what gets the evildoer paid for all this work. Viruses help spread the package to build up numbers of hosts infected, trojans help exfiltrate data from the infected systems, and botnets grant complete control of the system to a bot-herder or a hacker group to use as they want. All three of these payloads can exist in a package; sometimes more then one of each can be found in a single dropper.

These packages are usually created by kits that can be bought by hackers for very little ($100’s), and can generate anywhere from $50 to over $1000 per host infected depending on the payloads involved. This money is paid by the profiteers behind the malware that gain the benefits of the infections – either the information on the infected systems such as financial data, or by using the systems for sending spam and/or hawking counterfeit goods/stocks to everyone on earth.  Quite often the people responsible for the infections are working on a “Affiliate ID” commission based compensation system. They are driven by numbers and not by who or what they infect.

There are also more specialized and targeted packages made for spear-phishing to infiltrate corporations and governments to further the attackers agenda. The packages used in these attacks are normally constructed with a small payload and a more advanced rootkit. Exploits used for these packages are usually bleeding-edge, unpatched or unknown by the software vendor whose software serves as the infection vector. These packages are quite expensive and can easily cost hundreds of thousands of dollars to construct for sophisticated attacks.