Not all malware authors are great coders, says report

Given the terrible last 12 months for data breaches, one can be forgiven for thinking malware authors are the most cunning code writers on the planet.

Not all of them, concludes Gabor Szappanos, principal researcher at Sophos Inc.’s lab in Hungary.

After analyzing a Microsoft Office exploit (CVE-2014-1761) announced last April, Szappanos and his team concluded in a report released this week that “malware groups have limited understanding of, or ability to modify with success, the initial exploit. Surprisingly, known APT (advanced persistent threat) groups showed less sophistication than more mainstream criminal groups.”

That doesn’t mean they weren’t skilled enough to deliver a payload the report adds — which may be cold comfort to victims. But CSOs and vendors of IT security solutions may find the analysis informative.

“The fact that they are not the masters of exploitation doesn’t mean that they are any less dangerous,” says the report.

Anti-malware researchers have given these APT groups names like ‘Pitty Tiger’ (discovered last year but believed to have been working since 2011), ‘Plugx‘ and ‘Inception’ after the exploits they use.

The idea of the Sophos exercise was to compare the skill of different malware author groups by looking at the attackers’ understanding of how to leverage an exploit.

CVE-2014-1761 had become the third most popular exploit for cybercriminals by the end of last year, the report says, able to infect nine versions of Office service packs from 2003, three versions of SharePoint 2010 and two versions of Office Web Apps.

In practice, however, only one (Office 2010 SP2 32-bit) was actually attacked.

The malware takes advantage of a Rich Tech Format vulnerability when a specially crafted RTF file contains more listoverride structures than Word expects to see and overwrites a memory pointer, allowing an attacker to take control.

The first known sample that exploited the vulnerability was dubbed Cycoomer and was, if you will, the father of 15 variants.

The exploit is known to have been buried official-looking documents, ads for used cards,

travel advisories and project templates.

It was how the original core was modified — changing the shellcode, for example — and whether the resulting variant was workable or hung the application is what the researchers looked at. In face 57 per cent of the samples of modified CVE-2014-1761  Sophos tested didn’t work.

The bad news is many of the exploits included other malware as well, and they did work.

Briefly, they concluded that some authors knew what they were doing by modifying the original code. The fact that they missed opportunities “indicates they never completely understood the nature of this exploit,” the report concludes.

Szappanos admits in the report the attempt to rate malware authors isn’t without flaws. Its methodology “clearly underestimates their skills” because malware writers want to only reveal as much as needed to do an infection. But the company believes the exercise paints a good picture of how comfortable these particular authors are in the exploitation stage of malware creation.

When the created samples turned out to be non-working, it adds, that clearly indicates a point at which the authors reached their upper limit in understanding this exploit.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now