Good software made to do bad things by malicious authors

Writing malware is not hard, a conclusion supported by the tens of thousands of samples SophosLabs (and I’m sure other vendors) receive on a daily basis. Analysts and even machines are starting to get quite good at spotting such creations by fact of them attempting to hide their functionality [2], but what if the malicious behaviour is perpetrated by a legitimate program’s designed functionality?

This is much more of a problem since hiding in plain sight and data-driven malware functionality can often fool analysts into thinking the application is clean, meaning such trickery might go unnoticed at first glance.

One example is the NullSoft downloader, which is a legitimate installer yet can be scripted to perform a download to obtain malware components via the web.

Another more recent example is a WinRAR SFXer of the destructo-ware class – Trojans whose sole purpose is to destroy the infected system. By using the scripting capability of the SFXer [3] the Trojan can use the legitimate WinRAR engine to delete system files, yet appear totally benign to security software – but not to the keen observer or analyst!

In the above sample, a single zero-sized file is the content of the archive, yet the scripting facility tells the WinRAR engine to delete all files in the System folder, thus turning a seemingly good application into a nasty one.

So while not the fault of the vendors, such bending of legitimate software to perform malicious actions does show the ingenuity (and perhaps desperation) of the malware authors.