Software developers usually reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publically released vulnerabilities and tools).
Examples of hackers reusing and improving existing malware
The Reaper (or IoT Troop botnet), first discovered in October by researchers at Check Point, is an excellent example of hackers reusing and improving existing malware. It borrows basic code from the incredibly effective Mirai botnet. The author of Reaper appears to have used Mirai as a platform, on which they built much more effective methods for both exploitation and launching attacks. Reaper’s additions to the Mirai source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS.
Here’s another example. Earlier this year, a hacktivist group known as the Shadow Brokers publicly released exploit source code stolen from the NSA. Among the source code were several zero-day vulnerabilities targeting Microsoft Windows’ SMB file sharing service. Within a month, attackers repurposed the leaked source code to turn ransomware into ransomworms in the WannaCry and NotPetya attack campaigns. These new ransomware variants showed us how attackers can quickly recycle new attack methods and exploits with devastating results.
Last year, a Turkish security researcher published two open source ransomware variants, EDA2 and Hidden-Tear, for educational purposes. As one might expect, attackers quickly used the source code to create their own ransomware variants within weeks of its initial release including RANSOM_CRYPTEAR, Magic Ransomware, and KaoTear. These variants mostly used the same base encryption process, changing only the ransom note, command and control connection, and in some cases the propagation routines. This illustrates how quickly hackers can repurpose public code for their own benefit.
Reusing general attack methods
Malware code isn’t the only place where hackers re-use code. They also reuse general attack methods wherever possible. Beginner hackers, or ‘script kiddies’ as they are usually called, rely on pre-built tools and attack methods to make up for their own lack of knowledge. Tools like Rapid7’s Metasploit framework are great for legitimate security researchers performing penetration tests for clients, but also loved by novice hackers that are up to no good. Rapid7 isn’t the only manufacturer to face this conundrum; the entire penetration testing industry is built on tools that are developed for professionals, but used equally by criminals. Ultimately, there is a legitimate need for penetration testing tools by security professionals, which means they are here to stay.