On (Un)Natural Selection: The Evolution of Malware

Hello. Um, I was going to ask if everyone can hear me, but I think yes. Wait. Okay. So, let's get started. Uh, hi everyone. I am Lena. Today I'm going to do a talk about on natural selection, the evolution of malware. Yes. So, just a little self intro here. I am Lena and my handle name is Lan Mamba and I'm the founder of World Cyber Health and um the founder of M Village. I'm also creator of Mmons also known as malware monsters. So actually before I ventured into the field of malware analysis, I was a risk and trusted execution environment researcher which meant that I dealt a lot with the lower levels of computing. So

this is something as a malware analyst being able to look at things from a different perspective like from for example when I did compiler research and optimization this gave me a unique perspective when I researched malware. So I as mentioned here I I made mouse which also means I draw these by hand like cartoons right so something I like to say often is especially given the fact that I was from a compiler research backgrounds the what makes a good compiler it's the ability to translate highle language into low-level language within the least amount of instructions possible while still maintaining its meaning right similar to cartoons you're trying to express some really complex concepts in cartoon forms while still maintaining

its charm. This kind of skill is something that not just applicable cyber security but anything in general right and then this is I am going to go much more deeper into this concept in the later section of this talk. So just stay tuned. Yes. So here in my talk I want to explore what it really means to be natural. The popular definition of natural is existing in or derived from nature not made or caused by humankind. And here the fact that there's something natural also means that there's a field related to things that are natural which we like to combine it into this umbrella term of natural science. And the popular definition of natural science is natural

scientists seek to understand how the world and universe around us works. But again we just we explored how is the mankind made by humankind part right? So this is where I wanted to explore the term unnatural. So here it's not just unnatural it's unnatural like un with the bracket. So it's simultaneously both natural and unnatural which means things that are man-made. So technically does not fit into the natural category as we previously explored. However, if we look closer, it still behaves pretty naturally even though it's within an unnatural ecosystem, which we will get into a little bit more detail. Right. So again since we already talked about what exactly natural science is at least in

the popular definition I want to explore what is at least like unnatural with the brand science in my definition by definition the natural unnatural sciences seek to understand how the world and universe work including the humanmade unnatural world still operates within natural natural laws on a broader scale. So what does that really mean? So if you take a look at a piece of malware, it's man-made, right? It still technically artificial and there are aspects to it which all cannot be, you know, it m is not going to spontaneously spawn in nature, right? But so these are things that we as humans made. So technically it doesn't fit the traditional term of natural. But if you look at at the bigger picture, we

got this whole digital ecosystem and we got the smallware operating within it. It still has to survive, adapt and evolve just like every other species in nature. So the unnatural science here I want this section I want to compare and contrast things within our natural world as well as the unnatural world. So in the natural world we have things called pathogens. By definition is any biological agent that has evolved or adapted to invade host organisms and cause harm to its biological systems. So the evolved or adapted part is important as I will compare to the definition of what is malware because my definition here is any software that is intentionally developed to cause harm to the victim

device. It's the intentional part that is really really important here because when you develop software there are times where developer unintentionally programs it not so nicely in a way that it ends up acting in ways that the developer and whoever like the PC it's intended for would probably not really like. So it's the that in some people's definition would be considered malware but at least in the scope of this discussion it's the intentional part that is important. So comparing and contrasting pathogens and malware a bit more. So it's quite similar. So for the pathogens, these are basically biological mal malware because the host organism probably doesn't want pathogens in their body, right? Because we talked about how it causes harm to

the host, right? So in the case of the pathogens, it will be the organism while in the case of the mother, it will be the device. And again, it's dependent on the host. just like you know who here has played plague inc the mobile game. Yeah. So you know if you play the game and if you actually want to succeed in the game one of the main you know advices people give is you shouldn't go you shouldn't start off with giving your thing the trait of total organ failure, right? because it's going to kill the host and what that means is yes I mean to ramp up the deadiness I mean yes it does kill the host and all this like

organ failures and things happen but if your host dies then there's no one to carry that virus bacteria fungi on your behalf you can't spread it around there was this was one of like for example right we have Ebola and CO Ebola is super deadly right it you know you know you got all like internal bleeding and you it's a really high death rate and co when it first started the death rate wasn't so high and that a lot of people who were infected didn't notice that they were infected so they still went around infecting everyone but as opposed to some really deadly like Ebola right because it pretty much renders the host immo they're pretty

much stuck at home they can't go around to spread virus right so yes it was still a deadly pandemic, but the CO's caused much like it caused a lot more global crashes, right? As we all know, we pretty much all live in the COVID era, right? And then you guys felt how much damage CO had done to our society in our personal lives as well, right? So similar to that you know as a malware there are ways that like it must develop traits which sometimes is detrimental for its survival sometimes it's you know it still doesn't think about survival right so again malware and pathogens both causes harm to the host for the case of the

pathogens it could mean things like cell death and various other nasty symptoms. But for malware, it's things like loss of data, just your computer just dying and things like that. And here I get into definition of computer viruses too. I mean, most of you guys probably heard the term computer viruses, right? But um a lot of times people do use it quite interchangeably. But I want to clarify here that those m and computer viruses are not exactly the same thing. So the definition of virus itself would be like a type of malware that is again intentionally developed to infect other files or programs by embedding its codes enabling it to replicate and spread. It's the rep

enabling it to replicate and spread part that is really important here. So here again um this symbol is a little like a set symbol every virus is a malware but not every malware is a virus. So in kind of more formal terms it means viruses are a proper subset of malware. plans. Here we're talking about the digital ecosystem where again the title of this talk on natural selection takes place. So this you know the digital ecosystem includes things from personal computers, servers, internet and more. Basically where the malware must thrive and survive. So just like every other biological entities malares there are various families and species of malware. So on that side you can see a list of malware

families from Media and on this side it's it's a tree of various different species. You got starfishes, you have sharks and elephants. Yeah, these are various different like families. There's many similarities between these two. So unnatural selection basically any pressure that affects the evolution of malware. So for example, if I'm talking about biological selection, natural selection, these like pressures evolution would include things like the availability of foods, the climates, things like that. In the case of malware, these are things like systemwide updates, defender actions, profitability of for malware operators, competitions with other malware, and trends of the real world. So, there's much more, but I want to really stress the competition with other malware part

because there are many malware out there. And then they must all compete with each other because again not every malware author is really on good terms with each other just like not every people here are like the the people the good people are on good terms with each other right so again that's why not again not every malware author is in good terms with each other so they are most of the time competing for resources so these are things that are pressuring malware to adapt and evolve. And I also want to talk about how because we are able to compare the evolution of malware to biological evolution. And in the case of biological evolution, we have things called

evolutionary game theory which can be used to mathematically model evolution. So the this definition of EGT is evolutionary game theory is the application of game theory to evolving populations biology. Uh it defines a framework of concept strategies and analytics to into which Darwinian competition can be modeled. Yes. So here's an example of a malware incident pandemic that happens quite a while ago. This was a mass outbreak in 2000 for I love you. It relied on one deterministic action which was it just sent out email attachments with the malware on it and it relied solely on social engineering and it's basically sent itself to every existing contact of the victim device. So this would I would say be considered as pure

strategy which relies on one determin like determinis action you know it's always going to do this action as opposed to similar um so this was released in 2002 and this induce randomness which is quite different to what a pure strategy is. So this is an example of mix strategy because this introduced randomness which kind of made more unpredictable which for example in this case in this specific mob case there was a 50 chance of infecting fuzz and metamorphosizing and there's like also like 90% of virus code was dedicated to the metamorphosis and in computer terms randomness is not so easy to implement. So it dedicated a lot of its code to implementing this sort of randomness

and this is another strategy which is quite common um tit for attack for this is what mot used. So this was first detected in 2014 but even to this day the operations are ongoing it basically what it means is it retaliates against defender actions. So, for example, if there's a mass law enforcement crackdown on the C2 to take the C2 down, it would retaliate by updating its bots to use like new backup C2 servers. There are other various examples of retaliations too. For example, if it changes the context of the like the text of the email to like the email provider starts blocking all like all these like bank bank invoice kind of related emails, it

will start using something else like maybe like a vacation like certificate or something like that. It would basically change based on how the defender reacts. So this is a good example of a tach strategy. So again, as I previously mentioned, not all bad actors are on good terms with each other. So they also got to think about how they would be the malware to survive within these evolutionary pressures because these people are mostly financially motivated and it's survival terms of in the in this malware, right? What drives survival is again most of the time financial incentive. They want to threat actors want to create model that is most profitable for them. So for example, yeah ransomware could be quite

profitable but it's like since you get all these like icons changing all these extensions being pended it's really noisy and it's quite obvious that you've been affected. So in the case of this right this is a example of my symbiosis paper I wrote for besides not besides for virus bulletin Dublin last year so I was actually at Dublin last year around um October so this is you can see the full paper here and yeah I don't know if you can scan it but if you look it up online um the U virus bulletin bulletin 2024 you could see my full paid paper and something that I really wanted to discuss here is the again malware is the malware involved

here are all developed by separate independent actors. However, they work in ways that are not conflicting each other. And then the key part here is ransomware comes in last. So it gives time for the other malware like the impulse alerts and the loaders and the bots to first do its thing before the ransomware comes in and encrypts everything makes the infection super obvious. So there these things exist just like in nature symbiosis mutualistic relationships do exist. So in the in the world of natural selection and malware these kind of relationships do exist as well. So now I would like to get into the perspective of a unnatural historian for for me I also like to draw a law. So

this is why I created malware monsters similar because again I like to collect malware but I also like to treat it as if it's a living entity where it must survive adapt and evolve. These are the models I created so far. So actually all of these are based on real mower like and then when I designed these I included a lot of symbolism and meaning behind the design choices. I will go into depth where the lock bit mama I designed for besides stolen and then I actually animated them as well by hand. So I tried to make it like more realistic and like as possible. So something else that I also wanted to talk about is explaining malware via

cartoons, right? And as I mentioned in the start, what makes a good compiler? Again, it's the ability to translate highle language into low-level language in within the least amount of instructions possible while still maintaining its meaning. similar to cartoons where you can only draw very limited strokes while still maintaining the chart. Right? And then one big reason I like to do pen drawings like this is Copic like Copic marker. It's a alcohol marker. I can't erase it like a like a like a color pencil because again even if you do make mistakes, right, it still adds to the final charm, right? It adds the final touch. So again, treat life that way. If even if some even if

you do make a mistake, just keep going. And in the the final picture, it might even look better as compared to when you didn't make a mistake. So here here is a slammer mmon that I designed. It's a worm. So actually it's it's a packet worm. That's why it's within inside a packet. And here's something I'm trying to explain for the buffer overflow. So it's like slam this router and then like you know carnival hammer thing goes like and then like it just overflows. And then this is something I wanted to explain kind of like similar to if you study a little bit of physics you might come across something like chain reactions right you got all these like

atoms spitting out particles you like you know and then this the particles on the side also start spitting out particles just like chain reaction right so what it did was the server that it infected as soon as it infected it it shoots out these packets which as soon as it hits another server server it also infected it and then that thing also starts shooting out packets and here what I'm trying to explain is the the worm itself was actually pretty small it's only 376 bytes so you see this digital scale right and then this small size is what allow it to propagate extremely fast so something that I am also doing quite a lot nowadays is I'm

exploring books old books like the ones here. So what these are are these these are from like the 18th 19th century the Victorian era and you got all these like biological like draws like that's like a water flea and that's stick bug. So I actually have two books here and then I want you guys audience to just hold the book and then look at it. I want you guys to feel aware of the book and realize that there is a nice world out there that is free from all these dual things. So do not forget that there is a nice world out there and do not forget the value of books. So again, right there is much there's a

difference as compared to you reading that scanned version on a PDF as compared to you actually holding the book. Feel the weight of it and then exploring what's inside. I want you to feel that and never forget that. And please do visit bookstores. And actually I'm not done. Thank you. Thank you. Thank you. Thank you. Okay. So, actually, guess what? I'm also writing a book because I love books so much. So, I actually borrowed the style from those old books to write my own book about malware. Like, I'm writing this on the book of unnatural history of malware. So, this is the industry mama that I designed. So, you see here, this is the animated version. It's got these

horns shaped like power grids because it affects the power grid. And then it's got this whole factory shaped thing because it's a RCS mware, right? And this is a version. This is for stuckset. So you see the again there's a lot of reasoning as to the design choices I made here. It's this specific color cuz yellow cake is this color which is uranium stuff. Okay. And then it's all got like fin thingies that's like shaped like these, you know, new like radioactive symbols. Yeah. So the M I design Dublin. This is lock bit. So I actually handdrew this and this is a time lapse sketch of the the design. So I use iPads on Procreate

like Procreate with it's with with Apple Pencils. So you can see there's actually a lot of thought I put into the design choices here. For example, it's dangling to like it's dangling this like shamrock shape like this clover shaped key because it demands you to here's the key. Pay the ransom. And then there's another arm that's holding up the file which it's also dangling. It's like I have the files p up, right? And then there's actually more symbolism I put into here as well. And then oh another thing is you see the plug like the cork plug there. Yeah. It's because it's one hand is holding it because it's threatened to leak the data if they

don't up. It's a double extortion which you it ransoms it and encrypts the file and then if you pay up it threatens leak it. So I also animated it. So I animated it frame by frame. So you look here it's got all these like arms moving around. That's the animated version. And then I was also painting the lock bit mmon. So this is the pencil sketch. That's the ink ink and that's the watercolor version which I have here. So I actually went around Dublin with my painting to just take pictures to, you know, to con to confirm that I was actually in Ireland that this was actually kind of made in Ireland, right? Cuz then stay tuned for more months. We're

actually starting to make mommon's games. So stay tuned for that and then please support us for our nonprofit world cyber health. Um our project includes things like organizing malware footage various competitions. Mark one more as report competition mi battle of malware bypassing emac which is a yara matching competition. Mmont is also part of it as well as No Havoc which stands for online helpline for all victims of cyber crime because everyone deserves accessible help despite who they are, where they are and where what they have been in, right? Everyone deserves access to meaningful and accessible help. So this is why we created this LLM based helpline which is accessibility is key here. And then we also created this

Yahavic competition which stands for Y comp. So we're it's basically pentesting version of like we're trying to stress test no havoc so that it like strong and resilience, right? So yeah, I'd like to finalize with break systems but not promises and question everything and stay curious. Thank you.