Modular Malware In The Nutshell

We are in the age of computing where programs are growing to a point towards feature-richness at best and bloatware at worst. Malware itself is also software, developers creating malware also have access to the same development environment as any other developers of legal software. They also realized that their malware was also starting to become bloatware, as they build more and more features just for the purpose of bypassing antimalware products. And we should not start the discussion about how the antimalware industry kept on producing bloated antivirus and Endpoint products for the last ten years.

The larger the malware, the easier it gets detected by both antivirus products and even through keen observation of highly experienced system administrators. So what did they do? Divide their big malware to smaller chunks, with the main module containing “calls” that enable it to download a certain sub-module which performs other tasks for the malware. Here in Hackercombat.com, we have covered since last year about VPNFilter, a malware that resides both on Windows machines and the user’s home routers’ firmware.

VPNFilter survives from the checks of the antivirus software since it has the capability to export a part of itself, a submodule to the home router. Ten years ago, such capability for malware was just science-fiction. The need for their malware to survive, such capability needs to be developed. Years ago, there were cases malware tried to hide itself in the BIOS firmware of the computer and the video cards. Malware authors cannot do it again, as the BIOS gave way to today’s UEFI (Unified Extensible Firmware Interface) which implements stricter checks with writes to its firmware area.

Typical recommendations such as rebooting the router will reduce VPNFilter its staged modular approach makes it difficult for any router to remain uninfected, however. Until such time that the source PC is removed from the network, the router with flawed firmware will continue to get infected by the same malware. Even resetting the router will not do any good, as long as the source of infection remains online. What VPNFiIter started continued as the start of 2019 marks the detection and identification of 150,000 modular malware in the wild.

Security researchers are expecting more modular type of malware in the coming months and years to come. The good news is due to the need to download sub-modules from the command and control (C&C) servers, authorities can shutdown the physical servers for good. That will make modular malware a short-lived creation, well that is what we are hoping for. However, the world is more surprising than what meets the eye, malware development does not happen in isolation. New malware, in fact thousands new variants are developed every single day. It will be impractical to replicate the FBI’s success over shutting down the C&C of all modular malware that will be discovered.

What are the practical ways to somehow lessen the chance of contacting a modular malware? Practical answer is to practice safe computing practices:

1. Be doubtful of pop-ups, pop-unders and website redirectors. These misdemeanors are what Google itself is trying to stop by building a new feature in Chromium-based browsers to auto-block those actions by any website. A well-behaved site will not use pop-ups, pop-unders and website redirectors.
2. Never neglect firmware updates for your home router, operating system and any Internet-facing apps. These updates include necessary and critical patches that prevents security vulnerabilities from being exploited.
3. Never ignore establishing a credible backup habit. This can be a network shared drive, a NAS box or even the cloud. It is also strongly recommended encrypting the files first locally before uploading them to minimize damage when the cloud provider gets hacked at any point.
4. Establish a reliable SNMP system which can monitor ports and external IP address communication of the network to the public Internet. It is very costly for an organization to establish a reliable SNMP, but it needs to be done, it is an investment worth spending for. It is much better to spend for security than spending for damage control after a cyber attack incident.