Writing malware is not hard, a conclusion supported by the tens of thousands of samples SophosLabs (and I’m sure other vendors) receive on a daily basis. Analysts and even machines are starting to get quite good at spotting such creations by fact of them attempting to hide their functionality , but what if the malicious behaviour is perpetrated by a legitimate program’s designed functionality?
This is much more of a problem since hiding in plain sight and data-driven malware functionality can often fool analysts into thinking the application is clean, meaning such trickery might go unnoticed at first glance.
One example is the NullSoft downloader, which is a legitimate installer yet can be scripted to perform a download to obtain malware components via the web.
Another more recent example is a WinRAR SFXer of the destructo-ware class – Trojans whose sole purpose is to destroy the infected system. By using the scripting capability of the SFXer  the Trojan can use the legitimate WinRAR engine to delete system files, yet appear totally benign to security software – but not to the keen observer or analyst!
In the above sample, a single zero-sized file is the content of the archive, yet the scripting facility tells the WinRAR engine to delete all files in the System folder, thus turning a seemingly good application into a nasty one.
So while not the fault of the vendors, such bending of legitimate software to perform malicious actions does show the ingenuity (and perhaps desperation) of the malware authors.