Given the terrible last 12 months for data breaches, one can be forgiven for thinking malware authors are the most cunning code writers on the planet.
Not all of them, concludes Gabor Szappanos, principal researcher at Sophos Inc.’s lab in Hungary.
After analyzing a Microsoft Office exploit (CVE-2014-1761) announced last April, Szappanos and his team concluded in a report released this week that “malware groups have limited understanding of, or ability to modify with success, the initial exploit. Surprisingly, known APT (advanced persistent threat) groups showed less sophistication than more mainstream criminal groups.”
That doesn’t mean they weren’t skilled enough to deliver a payload the report adds — which may be cold comfort to victims. But CSOs and vendors of IT security solutions may find the analysis informative.
“The fact that they are not the masters of exploitation doesn’t mean that they are any less dangerous,” says the report.
Anti-malware researchers have given these APT groups names like ‘Pitty Tiger’ (discovered last year but believed to have been working since 2011), ‘Plugx‘ and ‘Inception’ after the exploits they use.
The idea of the Sophos exercise was to compare the skill of different malware author groups by looking at the attackers’ understanding of how to leverage an exploit.
CVE-2014-1761 had become the third most popular exploit for cybercriminals by the end of last year, the report says, able to infect nine versions of Office service packs from 2003, three versions of SharePoint 2010 and two versions of Office Web Apps.
In practice, however, only one (Office 2010 SP2 32-bit) was actually attacked.
The malware takes advantage of a Rich Tech Format vulnerability when a specially crafted RTF file contains more listoverride structures than Word expects to see and overwrites a memory pointer, allowing an attacker to take control.
The first known sample that exploited the vulnerability was dubbed Cycoomer and was, if you will, the father of 15 variants.
The exploit is known to have been buried official-looking documents, ads for used cards,
travel advisories and project templates.
It was how the original core was modified — changing the shellcode, for example — and whether the resulting variant was workable or hung the application is what the researchers looked at. In face 57 per cent of the samples of modified CVE-2014-1761 Sophos tested didn’t work.
The bad news is many of the exploits included other malware as well, and they did work.
Briefly, they concluded that some authors knew what they were doing by modifying the original code. The fact that they missed opportunities “indicates they never completely understood the nature of this exploit,” the report concludes.
Szappanos admits in the report the attempt to rate malware authors isn’t without flaws. Its methodology “clearly underestimates their skills” because malware writers want to only reveal as much as needed to do an infection. But the company believes the exercise paints a good picture of how comfortable these particular authors are in the exploitation stage of malware creation.
When the created samples turned out to be non-working, it adds, that clearly indicates a point at which the authors reached their upper limit in understanding this exploit.