Bugs in Malware Serve as Backdoor to Undo DamageSystem Infection Can Be Prevented Using Flaws in Malware
Researchers at Zscaler say that malware is often prone to bugs and coding errors that can cause it to crash or serve as a backdoor for defenders to undo the damage it might have caused.
Zscaler researchers Nirmal Singh Bhary, director of Malware Labs, and Uday Pratap Singh, staff security researcher, presented the findings of a paper titled, "Bugs in malware - uncovering vulnerabilities found in malware payloads" at the VB2021 conference.
"Security researchers find ways to patch such bugs in products to make effective detection statically and dynamically. There has been a lot of research on anti-VM and anti-sandbox techniques and techniques for bypassing AV products, but we haven’t seen much on the opposite side: finding bugs in pieces of malware that stop them from spreading and infecting the system," the researchers note.
A spokesperson for Zscaler was not immediately available to provide additional details.
The researchers observed that malware may not validate the output of a queried API or is unable to handle different types of command and control response.
"Authors often develop malware according to their local environment and don’t take into consideration techniques that may be present in target environments, such as address space layout randomisation and data execution prevention, causing the malware to crash," the researchers at Zscaler note.
To explain multiple bugs and coding errors in malware, the researchers performed analysis on a data set of malicious samples collected from the Zscaler Cloud Sandbox based on a few behavior signatures, which included samples from late 2019 to March 2021.
Over this six-month period, the researchers found that over 8,800 samples marked as malware - out of 500,000 samples - showed execution errors - 1.76%. The researchers also found several malware families with a common set of bugs in their code and found that a single malware family has multiple bugs, which can help security researchers to help victims.
"We found that not all, but a few bugs can be helpful in preventing or cleaning infection, stopping encryption and the spreading of malware if they are used as a kill-switch in a local system," the researchers note. "Malware authors are constantly upgrading their code and making it hard to analyse and detect using sandboxes and other security products. Sometimes such changes and enhancements lead to coding errors."
Bugs in Code
The researchers examined Vidar, also known as Vidar Stealer, a malware that steals information and cryptocurrency from infected users. Vidar derives its name from the ancient Scandinavian god of vengeance.
Besides credit card numbers and passwords, Vidar scrapes a selection of digital wallets. Researchers found 94 samples showing execution errors and uncovered three bugs that caused the malware to crash.
The first bug the researchers observed was incorrect check of function return value. The bug is related to calling an API and performing an operation without validating the output of that API call.
"The registry key is related to WinSCP software, Vidar steals stored credentials in a registry key. The stealer Vidar uses the RegGetValueA API to extract a password from the registry path, but it doesn’t verify whether the call was successful," the researchers note.
The stealer also tries to decrypt the password and makes a call to a runtime function with invalid parameters that results in the process crashing. "This can be used as a kill-switch by keeping the above registry entry empty and stopping infection for Vidar samples. This bug is part of CWE-253 and it has consequences such as unexpected state, DoS, crash, exit, or restart of the system," the researchers say.
The second bug the researchers identified is a common buffer used by an API to perform multiple tasks and out-of-bounds write. The researchers found that in Vidar, an API uses the same buffer with restricted size to download and read the payload.
In a sample spotted in February 2021, the stealer downloaded config files from C2 and used the InternetReadFile Windows API, which uses the same buffer for downloading the subsequent data, which corrupts the data downloaded earlier if the data size is more than the defined 2,047 bytes.
"In this case the malware will not be able to download the correct config file. This bug is a classic case of CWE-787 where malware writes data past the end of the buffer, which results in the corruption of data, a crash, or code execution," the researchers say.
The third and final bug was detection of absent string in configuration without any action. The malware crashes if it’s not able to download data from the C2 or if it’s not able to find a specific string (‘about’) in the downloaded data.
"Here, we refer to CWE-390, where the malware detects an error but doesn’t perform any action to prevent the consequences of the error, which may result in sample crashing," researchers say.