Vulnerabilities, Exploits, and Payloads
In order for malware to do damage, a system first needs to have a vulnerability. The malware itself then features an exploit to take advantage of that vulnerability and then a payload of additional code to run once the exploit successfully gains enough control of the system, these are known as malware components.
These components are explained in the following sections.
To understand vulnerabilities, imagine a thief trying to break into a bank:
- The bank has a front door he can walk through.
- It might also have a rear door with a weak lock.
- Or maybe there is a side door or window out of the view of security guards and cameras.
These are all examples of vulnerabilities, weaknesses that can be exploited.
To understand exploits, imagine how a thief might get inside the bank:
- He enters through front door, pretending to be an employee.
- He picks a lock on the poorly secured rear door.
- He throws a brick through the side window.
These are all examples of exploits, actions that take advantage of a vulnerability.
To understand payload, consider all the things a thief might do once inside the bank:
- He steals the tellers’ cash drawers.
- He makes long-distance phone calls on a bank phone.
- He turns all the desks upside down as a prank.
- He plants a hidden camera to record the combination entered on the bank vault.
These are examples of payloads, additional actions that only happen once inside. As noted in the last example, a payload can be another exploit — taking advantage of poor security that wouldn’t notice the camera in order to make a future attack.
Sometimes malware will also include a kill switch, a mechanism by which the malware can be stopped. In some cases, the kill switch is built in to protect the attackers from their own malware experiments gone wrong. Other times, the kill switch can be a means of increasing stealth. Especially in this age of state-sponsored cyberattacks, a malware writer might not want to cause a world-wide scare (and with it a world-wide updating or patching of vulnerable software). Hence, the attacker may want the malware to compromise a particular network but not spread any further.
In some cases, the kill switch is merely a date at which the malware will disable itself or stop spreading. In other cases, the kill switch might be more involved. For example, a variant of the WannaCry ransomware was designed to continue to spread unless it was able to communicate with a specific web server. When security researcher Marcus Hutchins discovered this attribute of WannaCry, he checked if the domain name was available, registered the domain, and set up the server address, effectively halting the spread of one strain of the malware.
Another feature often found in malware relates to compression. Compression shrinks the size of a file by eliminating or replacing certain data. As an example, imagine replacing the word “the” with just a “t” in a large document. What malware writers do is compress parts of their programs and then also build into them the routines to decompress those parts as they are executed. These compression mechanisms, known as packers, make their malware smaller (and thus quicker to download), harder to identify (because malware scanners might not be able to read the compressed sections), and harder to defeat (before researchers can figure out what the malware does, they first have to unravel it).
Command and Control
Malware often includes routines that communicate with attackers through Internet-accessible servers. This command and control (as it is called) allows the malware to receive additional instructions or the attacker to recover stolen data. One of the more sophisticated command and control systems used the “comments” section on pop star Britney Spears’ Instagram account. Infected computers would go to the page, search for a post from a particular account, and then within that post would be a link to another server where malware would find its instructions.
While it may seem to be a very sophisticated process to craft code to take advantage of a vulnerability in some system and then craft additional code to be executed, today it is a matter of point-and-click. Tools like the MetaSploit framework make crafting a specific attack extremely easy. An attacker using MetaSploit tells the program what kind of system he intends to attack and the desired payload. MetaSploit then produces the prepackaged malware that the attacker can then email or upload somewhere to be found by an eventual victim.
For end users, it’s important to recognize that malware typically holds to the dual personality of exploit and payload, where one part opens the door to a system while the other carries out some damage. Bear in mind, however, that the damage can be to open more doors on the system or to explore other computers on the network that are susceptible to attack. In this sense, one piece of malware can lead to much more being downloaded and executed.