Presentation information

Bugs in malware – uncovering vulnerabilities found in malware payloads

Nirmal Singh (Zscaler) & Uday Pratap Singh (Zscaler)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
Malware authors often take advantage of vulnerabilities in popular software and use other techniques to bypass security products like anti-virus, sandboxes and intrusion detection systems, and security researchers find ways to patch such bugs in products to make detection effective both statically and dynamically. There is a lot of research about anti-VM, anti-sandbox and bypassing AV products, but we haven’t seen much on the opposite side – that of finding bugs in malware which prevent the malware from spreading and infecting the system. Sometimes there are also bugs and coding errors in the malware code which cause the malware to crash and not serve its sole purpose. Such bugs can persist in malware families for a long time.

Through this research, we present multiple prevalent malware families which are crashing due to coding errors. We observed that sometimes malware doesn’t validate the output of a queried API or are unable to handle different types of C&C response. Authors often develop malware according to their local environment and don’t consider other techniques, e.g. ASLR, DEP, required to load modules in malware which cause them to crash.

To illustrate multiple bugs and coding errors in malware, we have performed a large-scale analysis of a data set of malicious samples that crashed in the Zscaler Cloud Sandbox. We collected such samples from late 2019 to March 2021 in the Zscaler Cloud. Furthermore, research & analysis is performed on multiple malware families showing crashes or running idle due to coding errors.

We will look at recent malware, botnets and ransomware with such different kinds of vulnerabilities and coding errors. We will also present a methodology to categorize malware families based on vulnerabilities and also detection in a cloud sandbox based on minimal activity before crash.
Nirmal Singh
Zscaler Nirmal Singh is Director of Security Research team at Zscaler ThreatLabZ located in Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 11 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
Uday Pratap Singh
Zscaler Uday Pratap Singh works in Zscaler ThreatLabZ as a staff security researcher. He has more than nine years of experience in the threat research field. He previously worked with CDAC as Project Engineer. His research area includes sandboxing, malware analysis, and developing tools for effective detection against malware. Uday holds a Bachelor's degree in computer science from Uttar Pradesh Technical University and is currently pursuing an M.Tech in data science from BITS, Pilani. Apart from threat research, Uday loves to play cricket and to watch movies.
arrow left Back

Bugs in malware – uncovering vulnerabilities found in malware payloads

Nirmal Singh (Zscaler) & Uday Pratap Singh (Zscaler)
Malware authors often take advantage of vulnerabilities in popular software and use other techniques to bypass security products like anti-virus, sandboxes and intrusion detection systems, and security researchers find ways to patch such bugs in products to make detection effective both statically and dynamically. There is a lot of research about anti-VM, anti-sandbox and bypassing AV products, but we haven’t seen much on the opposite side – that of finding bugs in malware which prevent the malware from spreading and infecting the system. Sometimes there are also bugs and coding errors in the malware code which cause the malware to crash and not serve its sole purpose. Such bugs can persist in malware families for a long time.

Through this research, we present multiple prevalent malware families which are crashing due to coding errors. We observed that sometimes malware doesn’t validate the output of a queried API or are unable to handle different types of C&C response. Authors often develop malware according to their local environment and don’t consider other techniques, e.g. ASLR, DEP, required to load modules in malware which cause them to crash.

To illustrate multiple bugs and coding errors in malware, we have performed a large-scale analysis of a data set of malicious samples that crashed in the Zscaler Cloud Sandbox. We collected such samples from late 2019 to March 2021 in the Zscaler Cloud. Furthermore, research & analysis is performed on multiple malware families showing crashes or running idle due to coding errors.

We will look at recent malware, botnets and ransomware with such different kinds of vulnerabilities and coding errors. We will also present a methodology to categorize malware families based on vulnerabilities and also detection in a cloud sandbox based on minimal activity before crash.
Nirmal Singh
Zscaler Nirmal Singh is Director of Security Research team at Zscaler ThreatLabZ located in Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 11 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
Uday Pratap Singh
Zscaler Uday Pratap Singh works in Zscaler ThreatLabZ as a staff security researcher. He has more than nine years of experience in the threat research field. He previously worked with CDAC as Project Engineer. His research area includes sandboxing, malware analysis, and developing tools for effective detection against malware. Uday holds a Bachelor's degree in computer science from Uttar Pradesh Technical University and is currently pursuing an M.Tech in data science from BITS, Pilani. Apart from threat research, Uday loves to play cricket and to watch movies.