Malware – some musings about the meaning of the word…

Posted on by

I have read Ali‘s question with a great interest, because it’s the questions like this that make you pause and think.

In my reply I suggested that the context is very important, and that we can leverage the triplet of Confidentiality, Integrity and Availability as a point of reference. If there is an intent to harm, or if the CIA triad is affected then we are dealing with malware…

Now, I don’t think it is enough.

Malware is literally short for… “malicious software”. Oxford dictionary says:
software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

What makes the software “malicious”? And hey… is the “software” that is a part of the definition even the same thing today as what it was few decades ago when the term was coined?

Is an exploit a piece of malware? If it is, is it at the time of writing, successful completion (when it’s available locally only, and to the author), or is it when it’s made public? Or only when used in active malicious campaigns? Is changing a configuration to enable verbose/debugging logging allowing for unauthorized data access a case of malware? Is a tool used for web mirroring of a badly configured web site allowing to download files that were not intended for public view, a malware? Is ransomware written for teaching purposes a malware? Is psexec a malware? Can an empty file be a malware? Can an antivirus file/program be a malware? Is BYOVD a malware? Is AI prompt injection a type of malware? Is Windows Explorer used to delete all files on a hard drive, a malware? Is an AI software generator that relies on code of others, and is trained on a wrong data set or its data set gets poisoned, and as a result – unintentionally producing a backdoored code, a malware?

Motive, Means and Opportunity form the so-called crime triangle. Lots of modern malware authors are criminals, because they tick these boxes. BUT while this affects the general opinion about malware authors, it does not make everyone writing a ‘questionable’ software a criminal. It also doesn’t make every ‘bad’ software – malware.

There is an argument that as long as you don’t harm others, you can do to your system whatever you want. You can change anything on the system provided you are its legitimate owner. The OS and Software EULAs may be a bit more complicated than that, but let’s put them aside here. There is simply an argument that you can write, code and produce the most destructive and malicious code ever, but as long as it stays on your system, it’s harmless to others. And then, is it even a malware at that stage? And yes, the moment you take it publicly, you have to own it. There is a responsibility associated with sharing that information.

I think the safest definition of malware is quite simple – it’s a child of malicious state transition:
any meatware, hardware, or software action that changes the state to the one that is undesirable.

It embraces context, motives, means, and opportunity, it may leverage CIA to define what that undesirable state is, and keeps the doors open for novelty and new developments…

And despite all that, I still don’t know what malware is anymore…

Threat Hunting – architecture issues…

Posted on by

In my recent post I focused on localization issues, but there is (always!) more…

Take a look at the Windows 11 ARM version – when you install it you will immediately notice that it includes many unusual folders that your threat hunting rules (we are so used to rely on Intel-centric paths!) simply… “don’t see” f.ex.:

  • \Windows\SyChpe32\
  • \Windows\SysArm32\
  • \Program Files (Arm)\

Luckily, there is already a body of knowledge out there that describes some of these folders in detail…

Yup. After a few decades of Intel’s dominance we are moving towards the ARM world and there is no excuse — we need to start looking at the ‘new’ that these changes bring… To be frank.. I am as late to this party as anyone else… I always looked at ARM stuff with a bit of “huh, interesting, but not gonna stick” and kinda learned some bits about it here, there, and kinda in-between… Meaning: yes, I can read and interpret most the ARM assembly code, and I also like the decompiled ARM code, but I am definitely far behind when it comes to understanding the hardware, tricks, especially if compared to Intel, so gonna work hard to conquer it over next few months… So, yup, today I embrace ARM and actually plan to spend a lot of time reading about it, because I fear that If I don’t, I will become a liability soon…

Coming back to the threat hunting angle… how many different system32 directories do we have out there today?

  • System32
  • SysWOW64
  • SysArm32
  • SysX8664
  • SysArm64
  • SyChpe64
    +
  • sysnative

Is that all? There are probably some variations around the main OS Windows folder (that is: C:\windows, c:\windows.000, c:\winnt, etc.), but hopefully we are in a good shape for the next few years…

Again, there are some cool blog posts about some of these changes out there

And just because we know these folder names we should not be fooled easily… We are looking at a completely different OS, different architecture it deals with, different software needs, and I bet — many undiscovered bugs, quirks, features, and gotchas…

There must be new phantom DLL and persistence mechanisms waiting to be discovered for sure, too

It’s actually quite exciting…

It’s the area I hope to explore more over next months… stay tuned.