I love malware, I really do. And let’s face it, malware gets a really bad rap! After all, it’s evil, it’s vicious, and no one wants it, right? Hmmm…that’s funny, cuz I download as much of it as I can! It fascinates me, almost to the point of getting me in trouble with one of my Supervisors. Yup. As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict. I can remove the drug but the needle is still stuck in your vein.” There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why. I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat. But, I digress.
So why do I enjoy looking at malware so much anyway? Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written. OK, so where am I going with all of this?
I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places. What a cool piece of code! Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.
OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware? If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.
What’s my point? Whatever you want it to be. If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you. If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also. And BTW, what files does your organization currently allow or block? Do you allow zips? If so, do you block zips if they're encrypted? Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)? Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?
I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!