Malware authors often take advantage of vulnerabilities in popular software. But, malware is also prone to bugs and coding errors, causing it to crash and serve as backdoors — any method by which authorized and unauthorized users can get around normal security measures and gain high-level user access — for white hat hackers. 

Zscaler conducted research to look at what type of vulnerabilities exist in some of the prevalent malware families, discuss the use of these bugs or vulnerabilities in preventing malware infection, and find out whether these are real vulnerabilities and coding errors or escape mechanisms.

Researchers performed a large-scale analysis on a data set of malicious samples collected from 2019 to March 2021, clustered samples using behavioral similarities and used MITRE’s Common Weakness Enumeration (CWE) system to categorize malware.

The researchers looked at multiple examples of malware with different types of vulnerabilities. They observed that sometimes malware doesn’t validate the output of a queried API or cannot handle different types of C&C responses. Authors often develop malware according to their local environment and don’t consider other techniques, e.g., ASLR, DEP, required to load modules in malware which cause them to crash.

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, notes, “these bugs may come about as a result of adversaries rushing to “get to market” before competing exploits gain widespread use, inexperience in using development best practices, or other resource constraints.”

This means security vendors can leverage these bugs to write different types of signatures to identify and block such malware attacks. 

“Malware often exhibit common application flaws such as failing to validate input or output, not handling memory buffers appropriately, or failing to handle exceptions,” says Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security. “These types of common programming mistakes often lead to application failures or faults, and they may also result in exploitable conditions if someone wanted to attack an application. Theoretically, it’s possible that an attacker could exploit a piece of malware present on a system just as they would target a legitimate application or API to breach an organization. In this case, the programming mistakes made by the malware authors helped Zscaler security researchers better understand malware behavior and identify families of malware. In a bizarre turn of events, even something as basic as calling an API to fetch data is not handled properly by the malware samples mentioned in the research. Just like how legitimate applications require connectivity to provide functionality or data, most malware relies on connectivity to provide utility to an attacker or fraudster. Some common malware behaviors include making API or system calls to connect to an external command & control service, query other applications or resources, or plant other application code on a system.”

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Ga.-based leader in incident response, notes the research findings align well with what incident responders dealing with ransomware over the years have observed. “While most of the bugs highlighted in the Zcaler research will have negligible real-world impact, bugs in ransomware encryptors and decryptors absolutely do. In the past, we’ve observed bugs in encryptors that render the encrypted content completely unrecoverable even if the ransom is paid. Today it’s more common to see bugs in decryptors. This is one of the many reasons that incident responders recommend only running decryptors on copies of the encrypted data. Some bugs we’ve observed are transient, meaning that the same decryptor may fail to decrypt data on the first execution, but succeed on subsequent executions.”