“If you’re trying to get somewhere, just start walking.”

This post is the first in a series of posts discussing malware development for red teamers and penetration testers. Ideally, it will go from writing code that certain folks don’t want you to write all the way to learning how to evade defenses through a more philosophy-based approach at evasion as opposed to a technological approach. It is assumed the reader has some background in computer science and security.

Entering the Rabbit Hole

Malware development for red teaming is often extremely objective oriented which for a beginner might leave them asking themself why they are doing what they are doing. It may be possible for them to develop the code that meets their goals but I feel strongly that a more intuitive understanding of the art of development and context for their work will only aid in their journey of learning.

At its core, malware is code that was developed for malicious purposes. “Malicious” and “purpose” are two very human words and thus, this definition isn’t super rigorous but most people (hopefully) have a strong enough moral compass to come to a consensus for the meaning of this. What this also means is that malware is language agnostic, and platform agnostic.

You might already have some idea of what malware does, we’ve seen the movies where a virus is uploaded to the mainframe™️ and sparks go flying. While that certainly is a malicious action, realistically the chances of that happening are close to nil and defenders are often looking for much more subtle giveaways. “What separates malware from a ‘regular’ program or process?” is a question that props up an entire industry within the cybersecurity field. As it stands there are a variety of types of malware as you can see here. Essentially, there are a set of actions deemed suspicious or detrimental to computer systems including encrypting every readable and writable file it can see, stealing login credentials from browsers and relaying it to some remote proxy network to be collected somewhere, or stealthily backdooring your computer so that it can be remotely controlled. To clarify, regular programs shouldn’t do this.

Based on that set of actions, SOC teams, Antivirus vendors, firewall vendors and their ilk create software that attempts to detect those actions and stop them from occurring. One issue with this is that in order for these vendors to be able to detect these actions, they need to be aware of them. That is, they need to be aware of what the suspicious action is, and they need to have visibility into that action. As attackers, in order to bypass defenses, it is sufficient to bypass either or both of that criteria. This, however, is no easy feat as malware and fighting it is a battle that has been waging for decades. That said, with sufficient study, one can understand the detection mechanisms so that they can be bypassed, or they can work on creating suspicious actions that haven’t been discovered yet, through the world of vulnerability research and exploit development.

What Are We Even Doing?

In this series, I will focus on malware development for the red teamer, and as such there will be an emphasis on Windows based malware, Windows internals, and languages such as .NET, C/C++, assembly, and other tools that may be unique to Windows. In this series, there will be an emphasis on developing a loader as it is extremely flexible in terms of what the effects are, and I feel since it is so widespread, there are many defenses to bypass offering many learning opportunities.

Conclusion

This piece is short and sweet, it defined malware, and discussed what it does, briefly discussed bypasses (will go into much more detail later), and hopefully the goal of this series is now clear to you and can become a useful resource in your malware development endeavors.