Cybercriminal gangs from Eastern Europe have always followed a rule: Don’t steal from Russians or their former Soviet allies. Groups like REvil or DarkSide put kill switches inside their malicious code, checking if the language on the machine it lands on is Russian, Ukrainian, Georgian, Armenian, or Romanian. If it is, the malware simply fails to install.
Such tactics create malware variability—the same piece of code can do different things on different computers, depending on the version of the OS, the libraries installed, or the language settings. “If you try to run the same malware on three or four different machines, you’ll potentially get three or four different behaviors,” says Erin Avllazagaj, graduate research assistant at the University of Maryland, College Park.
While security researchers have long been aware of malware variability, few studies estimated just how extensive it is in the wild. Avllazagaj wanted to know more, so he looked at 7.6 million malware execution traces recorded in 5.4 million real hosts in 113 countries. He noticed many behavior changes across time and across machines, with troubling implications. “You cannot say this malware is a Trojan because it behaves like a Trojan, because maybe in the next execution it will behave like ransomware,” he says.
Sometimes, these variations are unintentional because the malware fails to work correctly. However, even more interesting are those intentional variations, when the malware is designed to perform certain activities only on the right computer or under the right circumstances, trying to appear benign when these conditions are not met.
A piece of malware like this will look benign on most machines, making it difficult to spot. “The information from automated systems or the endpoint detection can be used for positive identification of malware’s presence but may not be very useful for confirming its absence,” says Peter Kosinar, technical fellow at ESET.
Typically, nation-state actors are known to use sophisticated tactics that leverage malware variability, but Kosinar noticed some mass-distributed malware that also employs these tricks. Avllazagaj’s research could shed some light on the variability of malicious code, which could help the security community better understand the issue.