One of the things sorely lacking in the industry is a reliable standardized index for the weaponization rating of malware.  Security vendors are typically overwhelmed/AndOr to Lazy to do this in a capitalistic bubble they call their business plan.  Malware analysts such as myself have seen this obvious need for a while now.  This Rating system applies to Pardon the hype buzz wordz but APT, targeted attacks, advanced obfuscation and protection tools, and cybercrime banking malware alike.  In the end they all ‘mostly’ implement into their design some type of hopefully advanced mechanisms to either circumvent host hardening, exploit prevention mechanisms, network detection and host detection.  They also implement highly advanced anti-analysis and obfuscation – armoring techniques.  This list goes on and on.  However  there is no standard for this and not much debate so I am proposing the following. 

WEAPONIZATION INDEX Scoring System for Malware

A Malware Weaponization Index is calculated to indicate the level of sophistication and advanced techniques leveraged to avoid detection, achieve persistence, maintain survivalbility, and prevent remediation along with an assessment on the precisness of organizational and informational targeting, and the sophistication of its propogation and exploitation vectors such as code exploiting 0-day vulnerabilities. This will help in supporting Triage Operations for analysis such as dealing with APT, highly customized code, or advanced botnets.

Each of these categories is given a weighted rating culminating in an overall score.  As techniques become more mainstream and commonplace, or out of date they drop off the scale and new techniques are added. 

  • Percentage of custom developed code versus code reuse
  • Number of exploitable vulnerabilities in the malcode
  • Number of software development flaws
  • Percentage optimized to inefficient code
  • Use of advanced rootkit techniques, Direct Kernel Object Modification DKOM, malicious hypervisors
  • Encryption robustness evaluation (XOR versus AES, RC5, Public/Private key)
  • Usage of code integrity checking
  • Awareness of operation in virtualized or sandbox environments
  • Implementation of attacks against custom or little used software
  • Implementation of highly advanced anti-debugging techniques
  • Custom targeting of narrowly focused data sets (automatic searching for critical keyword based content)
  • Implementation custom code packing techniques
  • Implementation of virtualized packers
  • Awareness of hypervisor monitoring
  • Malware that runs completely from memory
  • Malware that is designed to foil memory forensics
  • Malware that protects its critical data such as encryption keys in memory
  • Malware implements destructive or highly disruptive capabilities
  • Malware that armors itself against inspection and hooking techniques
  • Malware that utilizes secure deletion techniques to foil disk based forensics
  • Malware that runs in the kernel using little know native functions
  • Malware that uses unique and innovative persistence techniques
  • Malware developed in languages not commonly used
  • Level of sophistication in metamorphic and polymorphic techniques
  • Level of detection based on AV scanning
  • Any hardware based embedded attacks such as Cisco routers, wireless infrastructure
  • Any exploits against real time operating systems, or weapons platforms

An attack vector trend that is currently in vogue is exploiting legitimate websites such as via SQLinjection attacks to plant hostile IFrames into the websites pages, somtimes all of them, that are invisible because their properties are 0x0 in dimension.  The content of these IFrames are highly javascripts which bounce to other IFrames over and over and finally wind up at a site hosting a malicious webpage constructured to identify user agent settings (IE What browser you are using) and then run a version/product/platform/geographic region specific series of exploits against the users system which has unpatched vulnerabilities either in the OS/Browser or now the trend is in exploiting ancilliary applications such as Browser helper activeX objects, and file parsers such as flash, Jpeg, quicktime. 

Sometimes it takes a whole organization to set this up but there are entire packages that can enable this crimeware to work and even report (enterprise reporting style via digital dashboards back to the operator).  Fortunately there is a lot of competition now and access to these kits are getting easier.  They typically rely on PHP and other scripting languages with a typical database backend. 

When this whole enchilada works however you basically have organizations PWNing their own customers and facilitating the theft of their information.  Each victim that visits the site gets a nasty little downloaded piece of malware, mostly likely packed to get around their antivirus, injected into their explorer.exe process to evade firewalls, and opcode instructed via shellcode to do a reverse shell out of their organization or dump additional modular capabilities.  All in all its an ugly day. 

Some of these are even under the guise of intellectual property protection.

Follow

Get every new post delivered to your Inbox.