The (Un)Natural History Of Malware

Hi everyone. Just making sure all the person at the back can hear me. Yeah. All right. >> Thank you so much for coming to Malware Village as well. Like I I do see a lot of familiar faces here. And again, I hope you guys like malware. So that's why I brought to you guys the final keynote for today, which will be the unnatural history of malware by me. So it's going to be like kind of like a final wrap wrap up to the malware village. So yeah, just again who actually tried to analyze a malware at the village. Don't be shy. Okay. Well, that's fine because right now I'm going around various conferences in Europe as well as um next up I will

be hosting it in Las Vegas while village at Defcon as well. So I do hope to see you all there. But even if you can't make it to the US that's totally fine because we know what's going on. So yeah. So anyways um let's get into the talk. So uh I'm going to do a short self intro. Uh I am Lena. You also known as Slamba Mamba. So um I'm the founder of World Cyber Health and the founder of Malware Village and also the creator of Malmons, also known as Malware Monsters. So actually before I got into malware analysis, I did a lot of low-level computer stuff which includes things like trusted execution environments and

risk 5. So a lot of the times right um again people think oh like malware is not so related to low level but that's not true because when you do get into malware analysis especially when you get really deep into it a lot of the times you will be dealing with assembly language. So me as a excompiler optimization researcher as well I again something that I say a lot is what makes a good malware analyst. It's the ability to express complex concepts in very abstracted manner while still maintaining its essence. Right? So a analogy I like to use a lot is what makes a good compiler. It's the abil it's for the compiler to be able to translate highle language

into low-level language in the least amount of instructions possible while still maintaining its meaning. So this not this concept doesn't just apply to malware analysis but best anything you do in general. Right? A lot of the times people say well if you can explain something to a five-year-old that means you understand the thing well right so that's what I mean and then I will get into more in depth of this uh later because I a big part of my talk today will be expressing malware as a story to tell people how they behave how they survive and what goes on to make not just malware analysis more interesting but more accessible to the general population.

So in my talk, I like to do a lot of comparison between malware and living things. Well, I mean here I specifically say pathogens, right? But some people argue are biological viruses even alive? Well, that is up to debate because some people say it's not alive. Some people say it is. But in the in this talk I just refer to viruses, bacteria, whatever as pathogens. So the definition here at least in the con in the context of this talk would be any biological agent that has evolved or adapted to invade a host organism and cause harm to its biological systems. Right? So I'm going to compare and contrast this to malware. So my definition again there is

a lot of definitions out there on what exactly malware is right some people do say the crowd strike like the the blue screen of death thing is considered as malware some people say that but at least in my definition here it's any software that is intentionally developed to cause harm to the victim's device. What's important here is the intentional part, right? So again, you're free to disagree, but at least in the con context of my talk here and my research focuses on this part intentionally. So again, we will be like comparing and contrasting what the difference between pathogens and malware, right? So a lot of there's actually a lot of similarities and some of these things

includes you know dependent on the host for survival. In the case of pathogens, it would be the organisms, right? These could be things like like like a mice, like a bigger like amoeba, whatever like it could be even being you, humans, right? But for the malware, the host would be the device, right? So again, as if I backtrack into the previous definition of pathogens and malware, it's the harm parts that's important. I mean, there are definitely malware out there that doesn't really like do much to cause harm, but at least it's still like at least in the context of this talk. I mean, specifically like it causes harm, right? So in the case of pathogens, it would

include things like cell damage, death, and things more worse than death. And for malware, it would cause things like loss of data, resources, money to the victim. And there's actually many many similarities here, which I will not get into that because there's just too many. So in case of focusing on the similarities, I decided to focus on the differences. So malware is considered unnatural because it's man-made, right? But pathogens are natural because it's not man-made. However, we want to go back to what exactly does it mean to be natural? So in the traditional term like in the traditional definition of what natural is it is existing in or derived from nature not made or caused by humankind

but again what's natural and what exactly is mankind right so the digital ecosystem I'm talking about here which could include things like your devices the network the servers and things yes those are made by mankind However, just like every other biological entity, malware must survive, adapt, evolve, compete for resources, right? So here, even though mankind has created this digital ecosystem, it really has not much control over which malware exactly thrives or dies. Right? So here we get into what is unnatural. So given the fact that we the traditional definition of natural is whether or not it's made by mankind. But the way that malware behaves in this digital ecosystem which is also man-made is rather natural.

So again, just like every other biological entity in the natural world, it mower either thrives or dies based on whether it can adapt and evolve to the external pressures. But again, it's still technically man-made, right? So in order to just kind of express what I mean here, I decided to coin this term called unnatural with a bracket because it could kind of mean both things at once. natural but unnatural at the same time because it in the in the real world like in the natural world it is unnatural right I mean if if we don't have computers mware just wouldn't exist but within this digital ecosystem that we created it acts rather naturally just like every

other biological entity so here I started to ask some questions what if We study malware as if it was a biological entity. And what if I mean this also means if we treat it that way that also means that maybe we could also apply concepts from the natural sciences to malware analysis. So here we start to define what exactly is the digital ecosystem. Right? So as I previously mentioned these could basically include things like personal computer service, internet and more bas like things we are all I mean we're all connected basically and as like a easier definition basically a habitat where the malware lives. So again just like how we compared malware to biological entities there

exists multiple families of malware which is akin to biological species in the natural world. So again um here you see the list of malware families on malpedia. So you get get things like lumastila. It's a bit hard to see here, but if you go to Malpedia families, you will see a whole bunch of things and these can also be further classified as loaders, worm, ransomware, each having distinct characteristics which makes it unique, right? So this is actually really similar to biological species just like how this like taxonomy tree goes like you got things like I mean again it's a bit hard to see but you see all these like branching you see like starfish you see like sharks and

crabs and octtopi like and like stuff like that right it branches out but you you know that starfish are different than crocodiles right so I mean they're still living it's just like they have unique characteristics that separates that specific species from the other one right so right just as we discussed earlier we thought about I mean given the fact that there are so many similarities between malware and pathogens what if we could apply concepts that we apply to the studying pathogens which includes evolutionary game theory so what exactly is Evolutionary game theory. It is the application of game theory which is a field of mathematics to evolving populations in biology and it defines a framework

of contest strategies and analytics into which Darwinian competitions can be modeled. So uh here I'm going to I mean evolution in game theory itself is a huge field with a lot of things which I will not get into detail given the time limit but I will get into some of the strategies that are pretty well known in the fields right so one of this would include the pure strategy which is a predefined deterministic choice of action that a player makes regardless of the actions or outcome of others. Another example would be mix strategies which involves a player randomly choosing among the available actions with a specific probability distribution rather than choosing a single action for

sure. Another one would be the tit for tat strategy which is I mean involving corporation on the first move and then replicating the opponent's previous actions in subsequent rounds. So this could sound like scientific jargon at the moment, but I will try my best to get you guys to understand. Like I'm not saying that like I'm I'm not writing like a compendium of like game theory here. I'm just trying to introduce the concept of how evolutionary game theory could be applied to the study of malware analysis. And this is just scratching the surface. So one example of the use of pure strategies of existing malware would be I love you which had a mass outbreak in 2000. So

this is an example of pure strategy because it relies on one deterministic action which was an email attachment accompanied by social engineering and then once the person falls for it and then opens the attachment it will send itself to all its contacts. I mean because of that the outbreak was very very fast and then it was I mean there was a lot of damages as well right because once it was unleashed even the attacker itself just couldn't control like they can't stop it because at that time right like internet wasn't really a thing so there's no C2 servers where the the author could just tell it to kill itself right so yeah that's a pure example of a

pure strategy it had no fallback strategy. So, it was also pretty not so resilient because once people did start to see what was going on like block emails coming with this contact pretext of love letter, it would just block it, right? There's like, you know, that's why it was as soon as there was some like emergency patch or stuff like that, things like this would just die off immediately. Another example would be the simile which is an example of a mix strategy. Uh so this was actually released in 2002 and here it was pretty unique because it introduced randomness. Right? So what this means is it has a 50% chance of infecting the file and

metamorphosizing. So metamorphosize here means changing its code. So if it's like antiviruses that's dependent on signatures, right? If the code changes, the hash changes. So this kind of things would evade these kind of traditional detection systems. Plus the fact that it skipped 50% of files, right, means that yeah, there could have been some like honeypot files, right? And then by having this kind of randomness by skipping it, like a just wouldn't detect it. And then actually this um it invested a huge amount of its effort into the metamorphosis part which apparently it took up 90% of the code in the virus itself. So another example of a malware using a well-known game theory strategy would be

the emote which would be an example of tit for tat. So in the previous definition of what exactly tit for tat was right it talked about cooperating in the first round and retaliating based on how the other person acts. So here when I in this game what I mean by cooperation is suppose we have a setup between malware versus defenders. So by cooperating, it just means that the defender doesn't really crack down or do anything aggressive to try to take down emote. It just means kind of doing nothing, right? So that also kind of benefits the um emote in a way that it doesn't need to invest extra resources into evolving and surviving. So that is

what I mean by cooperation here. It doesn't mean that they're working together to like infect people. That's not what I mean. It just means that they're just not actively trying to fight against each other. Right? So in this context, right, defecting would mean to actually do more aggressive like actually trying to undermine and sabotage the other. So that means if the defender actually like in this case right for example if law enforcement actually goes above and beyond to try to do like a crackdown and take down the C2 then ML would retaliate by updating bots and using like new backup servers and things like that. Other things would include for example if the email providers start blocking like mass

blocking these like invoice emails then it will start to update its tactic by changing the pretext like changing it to COVID 19 health alerts shipping delivery scams and more. So again how emit reacts is basic based on how the defender acts. So again this was emit was first detected in 2014 but to this day the operations are still ongoing because this is kind of like a c ongoing continuous game which both sides both defenders and the threat actors of ML are evolving alongside each other. So another example, I mean not example but another interesting case of malware interactions in this unnatural ecosystem would be the symbiotic relationship where different families of unique malware can collaborate,

right? So these could be things like Lotus, Infos Steelers and ransomware working together to deliver a powerful infection. So what's important here is all this malware involved in the symbiotic relationship is developed independent of each other, right? So that means this author who made the private loader is not aware of the development behind some other ransomware. But in the end when they are deployed together they are working together symphonically in a way that does not conflict with each other. So in my virus bulletin paper I detailed what exactly conflicts mean right because again it is not easy to define what exactly collaboration means. So at least we could define what exactly conflict means. So in the case in this

paper I highlighted how you know for example ransomware conflicting each other would mean things like more than one ransomware encrypting files at the same time which would would mean that the ransomware are double encrypting each other which is not great for the ransomware. So I mean ransomware can go above and beyond to try to prevent this kind of double encryption by you know by double-checking the extensions by checking if other similar ransomware processes are running and things like that because as a ransomware developer you're basically just mostly after money. So you don't really want like a rival ransomware gang to be basically kind of stealing your customers, right? So again, um other interaction would mean things like malware attempting to

kill each other because again, MA authors, I mean, we do refer to them as the bad guys, but it's not that the bad guys are working together, right? I mean, they're mostly selfish most of the time. They just want money. And again, even the good guys, we're not all on good terms with each other, are we? Right? just like how the bad guys are. So that's why there could be cases where the bad guys are the malware are actually trying to kill each other in the case of Marai botn nets. So here I mean the I mean like if mai and so those kind of botnet malware detect that the the device that they're trying to infect

is already infected by some other rival botnet it's going to try to kill each other. Right? So again, that's why it's important to know if a conflict exists or not because again, not every malware author is on good terms with each other, just like how the good guys are not on good terms with each other. So I'm going to get into the perspective of a non-natural historian. So what is the unnatural sciences, right? Because we already defined the term unnatural. So it's not natural to have things in the field of unnatural science like just like how we have natural science, natural history. I think it makes sense to have unnatural science, unnatural history. So that's exactly

what I'm doing here. So again, we previously talked about how we can treat malware as if it's a living thing where it must survive, adapt, and evolve in order to not go extinct. Right? So as a way to try to get this concept across, I made mmon mods, which is also known as malware monsters. So this is the Mmons I made so far. Again, um it's a little bit difficult to see here, but if you are brave enough to scan the QR codes, the re repository of the malmons that I drew are available there for download and you're more than welcome to use it in your servers as emojis and stuff like that. So actually

in the age of AI I generated artwork right I can I mean I drew these by hands like yeah right so I mean of course there were people that came up to me be like oh like is this like a gen related right I mean I I don't I don't know whether I should take that as a compliment because you gota don't get me wrong air is not that bad sometimes if you know I'm not defending like people who just use AI me as an artist itself of course I'd love to see more handdrawn artwork not like AI generated right but at the same time if you just flat out accuse artists oh is this like AI generated maybe they

might not be so happy so don't do that please right if if they if you want to like double check or something I mean if they are willing to post things like this the time lapse right I think at the moment it's not so easy for AI to generate these time-lapse sketches even though it does excel at other video generating things and then I hope it stays that way. So, I actually went another step further and I decided to animate these as well by hand. So, again, um if you want to, you're more than welcome to use these like digital like malmons in whatever like your servers and stuff like emojis, right? Because I wanted to

make this kind of open source and available to everyone. And then one big reason as to why some malware are successful is because I mean it spreads right you malware authors don't sell their malware to get like to the victim right you just infect infect infect right I'm not saying that I'm trying to infect everyone's minds with malmons but at the same time that's kind of what I'm saying so yeah let that go viral like malware please it's come on at least it's better to have these on your computers than actual malware. Right. I mean, who can like what do you guys think? Yeah. Yeah. Right. So, um, another thing I've been doing with Mmons is drawing these picture

books because as I mentioned previously, what makes a good compiler? Again, it's the ability to translate highle language into low-level language in the least amount of instructions possible while still maintaining its meaning. kind of similar to why I draw cartoons because malware itself is a super complex concept in many people's minds. But if you draw if you express it in cartoons, you're technically taking that highlevel concept and then expressing that in cartoons with as little strokes as possible. Right? So for example, here is a slammer malmon that I made. So here this is Slammer, a computer worm from 2003 that caused a massive denial of service on internet host. Slammer exploited a buffer overflow bug

in Microsoft's SQL server and desktop engine database products. It bombarded routers with extreme traffic causing them to collapse. This caused the slowdown of systems worldwide. So if you look closely right, this carnival hammer thing, I don't know how you all call it, but I mean I'm trying to express the fact that it's overflowing by this bell thing breaking apart right? And okay, so okay, so Slammer spreads rapidly infected service and it like once infected, right? It just fired out packets as fast as possible. And when a packet hit a vulnerable device, it was immediately infected just like how like you know I mean if you I mean this is kind of like a chain reaction as to how

like you know nuclear stuff work, right? It's like you got stuff spewing out these like particles and like it just bumps into the particle next to it and then just like keeps like going on in a chain reaction. That's what I'm trying to express here. And here I'm trying to express how the entire worm was only 376 bytes and fits inside a single packet. And also this small size is what allowed it to propagate extremely fast. So just like how you see on this digital scale here of course it I mean as an artist who was trying to explain this right it wasn't so easy for me to express how exactly what like what exactly 376 bytes

would mean. So this is where I kind of where expressionism comes into play. So I'm going to talk about how like there exists the natural history books. Like this is an example from the Victorian era. I mean you can see like I don't know if that's supposed to be a eel or snake but like yeah you get the point. Okay. In this era, people didn't have the internet, nor did they have AI. So if they wanted an image of like a eel or snake, most like most of the time they had to actually go see the physical eel or snake. And then if it was I mean if if you were in like Victorian UK and

then if you wanted to write like draw diagrams about some eelnake thing in I don't know Galopagos like I mean probably either you have to have this like dead sample in some like formaldihide or something or you have to actually go there or they had a specimen somewhere. Right. So again, that's I mean natural history books. So that's what I'm doing now with Mmons. I decided to make the unnatural history book which I'm working on right now by the way. So this is an example of the stockset malmon. So if you look closely, right, I mean that's all drawn on paper with a fountain pen just like how people back then used to do them,

right? So um if you look closely, right, when I back when I designed these Mmon mods, I actually did like include a lot of symbolism as you can see here, right? Because I was expecting to do something like this anyways. So you can see that I mean if you guys know what stuckset is, it's related to taking down the uranium nuclear program. So that's why it's got this like yellow cake color with these like fin thingies that look like nuclear symbols right? And then yeah, and then if you look closely, even the tail and the tongue and stuff is shaped like a USB because the infection vector was via USBs. So this is another place where I explain

the anatomy behind why I designed it that way, right? So if you look closely, right, the eyes is kind of like these like spiral things which is I mean I try to make it look like centriuge like spinny things, right? Um, and then here is the the tongue and the tail which is shaped like a USB just like how it would infect devices right? So here's some other examples like I'm still working on this so I do not have the entire like set but I'm cooking up some things so stay tuned. So this is an example of in destroyer malmon right? You can see that it's like kind of this like rusty dragon thing and then that's just like a you know so

it's also like an IC malware so it's got these like power grid things coming out so actually for besides exit I designed this wire lurker mmon because some people told me that people at besides exit apparently loves wire lurker. Who said that? Was it? >> Yeah. Okay. Okay. Yeah. So, um just some context behind what exactly wire lurker is is it's a malware that is known to target Apple iOS devices. And then it's kind of unique because I mean you don't really come across that any iPhone mware, right? So, I mean, if you look closely, right, you could see the the tail is shaped like a lightning cable. And I mean, you see these like little

patterns on the back. It's like it's supposed to be a USB like like the ports for iOS devices, right? And it's like it's got this like Apple thing because Apple, right? Yeah, that's that. And yeah, so when I first arrived at Exod like a few days ago, I was actually painting this watercolor artwork of wire lurker, which I did put out on the raffle. So, right. Yeah. There. So, I don't know if you guys can see it, but >> it looked like >> Right. Yeah, that. So, I don't know who the lucky person is going to be to win that, but yeah. Okay, so that's the complete artwork. And then actually I make I'm cooking up

some cool stuff for Mammons like this Mama Tamagotchi looking thing. So stay tuned. So the key takeaways from this talk would be what it means to be unnatural. And we could as discussed in this talk, we borrowed concepts from the natural sciences. And just like how evolutionary game theory can be used to model population survival, we explored about how it could be potentially used to analyze malware to improve defenses. And then we also talked about how basically mal malware can be personified and treated as if it's living creature just like how like the reason behind why I made mmons. So right now as our organization World Cyber Health which is a nonprofit incorporated in Canada, we are like me

and my team are working on various things behind the scenes like organizing malware village which includes competitions like Mach 1 which stands for malware analysis report competition. Bombay which stands for battle of malware bypassing edr and which stands for efficient malware yara analysis competition. And again, this is also something I'm work like this organization. I'm also using it to back up Malmont. So, we get to make things like those Malmon Malmon games, the books and things like that. And then we're also working on something called No Havoc, which stands for online helpline for all victims of cyber crime. I came up with that name, by the way. So um yes, do support us on our

mission and let's all unite to make the world a better place. Thank you.

[Applause] Two seconds we can get ready for the the CTF results raffle and the auction. And apparently Adam's winging because he's all the way up there and it's going to take a while to get down here. Oh. >> Oh. So, on that note, can we sing happy birthday cuz it is his birthday today. So, while he walks down the steps, everybody, happy birthday to you. Happy birthday to you. Happy birthday, Adam's currently sober. Happy birthday to you. And he's still going to make

>> Okay. >> Thank you. >> Uh a little bit better. Oh yeah, you get a special speaker. >> Oh, thank you. Yay. Thank you so much. >> And that was also handful. >> Yeah, I talked to the designer and I told her that I absolutely love this. Like this is an amazing job. >> This is like S tier. Like I've been to so many B sites, but this is like up there. >> Thank you so much.

>> Have you got the prizes? questions. >> Yes. >> Isn't it important questions? >> Did we offer any questions? >> I don't know. Pete, was there questions at the end of that? I only walked in for it. >> I I jumped on three minutes. >> We all right. >> Do that while we're here. >> Yeah, actually. Yes. I would >> Does anyone have questions for Lena? Is that right? >> Yeah. So, anyways, I will be here like until the end of today. So, if you guys have any questions, just hit me up anytime or you can just ask me now. >> You can. Yeah. >> Right. >> Just put your hand up and I'll run up

with the microphone while we're setting up. Oh, one there.

Just cuz you're obviously talking about evolution and obviously one of the hilarious things about evolution and past different species that seems to happen again is stuff becomes crabs. Is there the malware equivalent of everything turning into crabs? >> So what you I guess like the carogification like corabification. Yes, I I've seen that meme actually. Good point. And just like how there is a lot of conversion evolution happening here, there are malware that kind of end up evolving into something similar, right? So right nowadays there's I mean if you look right there's a lot of stealer malares prevalent and all of those are most likely developed independently of the authors because again it is what how

what affects I guess survival and like what like how it converges because like for crabs right its form arm like this roundish body with like legs on the side, right? It was apparently very good for its environment, for its survival as compared to some other shape, right? So that's because of because of the fact that that body shape was good for that survival in like in that environment independent of whether they are genetically related or not. So like for example stealers, right? These can include things like snake key logger like redline stealers and things like that because they are profitable. That's why a lot of the times malware converge into these kind of stealer mowers because again it makes

them a lot of money and then it is stealthy most of the time and um it just gets its job done. just like takes it the credentials and stuff and just like exfiltrates it, right? Because as compared to ransomware, yes, there are many types of ransomware out there, but you got to understand that once ransomware hits the target and then it starts doing its job, it starts encrypting the files, which is very very noticeable and noisy, right? So, you would immediately know that you are infected with ransomware. That probably means that the victim will start looking for tech support and you know try to get whatever that's on that it's kind of similar to how have you played like

plague inc the game? Yeah. So you know how you're not supposed to choose total organ failure in the start right? You're not supposed to do that because if you do that your host dies and then there's no one to like spread that malware around. You want the host to stay alive and well so it doesn't show symptoms so it could just keep going around spreading that to everyone, right? That's what you want as I mean not what I want but like or you want but as like this pathogen that's just trying to survive right so yeah that's similar to that concept kind of applies here kind of as to why ransomware is yes there are

many ransomware but most of the time stealers is what gets the malware offer a lot of profit while still maintaining persistence and you staying there as long as possible, right? Yeah. So, similar to how crabification works, just like how all these steelers are independently developed, but due to the fact that it has traits that allow it to survive and thrive is what keeps that going, right? It like because it's so stealthy, even if you get infected, you're not going to notice it. So you're just going to let it stay there and then just it just keeps exfiltrating the data and then because of that I mean I mean malware authors are like oh this is

actually working pretty great. So they just keep up with like they're not going to change anything because you got to know if you evolve something, right? It it's also costly for the malware author to do that. And then most of the time they want to be cheap. They don't want to spend excess resources on trying to update its tactics, right? So you just you just keep whatever works like you kind of like evolution. If it's good enough, then it just stays there.

Thanks very much.