The topic of malware development isn’t just for threat actors. It’s critical that the good guys know how to develop malware at least as well as as the bad.
Before we get into the technical details of malware development, let’s first discuss what malware is, why malware development is such an important topic, and some other important details to help us get started.
First off: what is malware?
Disclaimer: I am not an expert malware developer. I’m an ethical hacker who, in the course of my learnings, has discovered that there is a dearth of free resources on the subject of malware development. In my mind, this means that the bad guys have a leg up on defenders and the white hat community. I started taking detailed notes on malware development as I learn this topic, and decided to post them in the hopes that they may be helpful to other folks interested in this sort of thing. Hopefully these notes will help to bring balance to the force in some small way.
What is Malware?
Malware is short for ‘malicious software’.
To be fair, on this website we are focused on developing malware for ethical purposes – so it’s debatable whether what we will be building is actually ‘mal’ware.
Wikipedia defines malware as:
“any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user’s computer security and privacy.”
Wikipedia, 2023
The digital world is rife with all kinds of malwares – viruses, worms, trojans etc. In the world of defensive cybersecurity, these different types of applications are classified and analyzed along with the threat actors associated with them. This helps defenders to harden their security postures against various malwares to avoid and mitigate potential damages.
Within the context of these notes, we won’t be creating any viruses that could land us in jail, and I would urge readers to be cautious about even accidentally distributing anything potentially malicious. Instead, we are primarily concerned with malware development for the purpose of penetration testing, red teaming, and advanced persistent threat (APT) simulation.
In order to assess how an organization would hold up to these types of advanced attacks, its’ necessary to test and thereby harden defenses against them.
Learning Malware Development
There are many reasons that people on the red team and blue team would want to learn malware development. The biggest is that it’s important to be able to understand and/or simulate the actions of skilled attackers.
Advanced persistent threats (APTs), in particular, are very skilled at what they do. They have little or no limitations regarding the types of attacks that they launch or the amount of time or resources spent on a target. They may build their own tools, develop them in collaboration with other threat actors, or simply purchase them. They may also purchase and stockpile zero day vulnerabilities. APTs often have great resources at their disposal, far greater than the budget most companies would be willing to spend on penetration testing.
The inevitable conclusion is that those of us who hack ethically, need to acquire as close a skillset as possible to APTs. Even with a contract to perform a multi-week assessment, we will still be at a disadvantage when compared with a threat actor who has months or years to target the same organization. A threat actor who can wait for a weakness to momentarily appear, create a backdoor, and then lie in wait for months or years.
We will always be at a disadvantage compared with APTs because we always operate with finite time, finite resources, and finite energy. The best we can do is upskill to the greatest extent possible in the hopes of reducing the damages caused by these inevitable attacks.
Think of malware development as real-life cyber ‘defense against the dark arts’.
What Malware Development Allows Us to Do
From a more down-to-earth perspective, malware development allows penetration testers to develop their own tools. Custom tooling can be difficult to detect because they are, by nature, unknown to security vendors. As a result, custom tools are un-signatured and unanalyzed and can be crafted to evade many common detection mechanisms used by security solutions.
Perhaps even more importantly, when we develop our own malware, we learn exactly how it works. When it doesn’t work, we can see why and learn how to modify it to be more stealthy or more capable. This isn’t unique to malware; writing code is always the best way to deeply understand what a program is actually doing. But when it comes to malware, we will be testing on lab environments that we will modify as we learn to develop new features and techniques. This interaction between what is happening in our labs and in our code is key to developing a strong understanding of malware development.
AV and EDR Evasion
Modern malware development is largely focused on antivirus (AV) and endpoint detection and response (EDR) evasion.
This is because modern Windows systems ship with effective AV software, and EDR has become standard for Windows networks. The slightest hint of any malware-like activity is likely to be discovered.
As a result, we as hackers need to up our game. Much of our focus will be on understanding and learning how to evade a variety of defensive measures. As we become more skilled, we will be able to adjust our tooling as needed and perform evasion using stealthier techniques.