0x01: Malware Development 101 - The Genesis
November 12, 2023Welcome to the dark art of malware development. In this series, we’ll peel back the layers of digital warfare, starting with the fundamentals. This isn’t a beginner’s tutorial. It’s a challenge. Only those who dare to dig deeper will uncover the true potential of what’s at play. Ready to begin?
In the world of cybersecurity, particularly in Red Teaming, mastering the craft of creating Full-Undetectable (FUD) malware is a critical skill. Many rely on tools like Metasploit combined with Veil-Evasion or PE injectors such as LordPE or Shelter to generate binaries that bypass antivirus defenses. While these tools may work in some cases, they often fail, especially when your operation is under the radar of a vigilant SOC or Incident Response team.
The biggest setback during a Red Team exercise is when your payload is caught by AV software, triggering alerts and ruining the stealth of your engagement. This is why learning how to write your own FUD malware is essential—customized from the ground up, it’s far harder to detect.
This blog is the first step in that journey, providing an introduction to the world of malware development. Subsequent posts will dive deeper into the technical aspects of crafting undetectable payloads, setting up robust CnC servers, and running full-scale operations.
Get ready to learn how the real game is played.
Prerequisites
To begin with, malware is just a piece of code like every other program. For example, if you want to write an undetectable keylogger, one should first check how a normal game would work in Windows. For example, every time you press a key in the game -> up, down, left, right, ctrl etc, a Windows handle is being called which captures the keystroke and performs some action according to it. So, if I could just write a program with the same code which runs in background and just slightly modify it to store the keystrokes in memory rather than performing some game-based action, it becomes a keylogger. I can then simply convert it into a module and push it to a reverse shell for dumping keystrokes from a remote machine.
However, there are few pre-requisites before delving into the world of malware. We need to do some homework before we get started. Below is a set of the most important questions before you start writing a malware:
- What kind of malware do you want to write?
-
Something that spreads automatically like a worm
-
A trojan horse?
-
Something that automates some task when executed rather than giving a reverse shell
-
Reverse shell for Red Team/Phishing/Targeted Attack Simulation
-
A bind shell
-
Which protocol will it use – TCP/HTTP/UDP or HTTPS?
-
Which language do I want to write in?
Here are some of the pros and cons of different programming languages when it comes to developing your first piece of malware:
| Language | Portability | Scalability | Size | Performance | Detection |
|---|---|---|---|---|---|
| Python/Ruby | Yes | Yes | Large | Slow due to too much overhead | Easy due to too many libraries |
| Golang | Yes | Yes | Large | Faster than Python/ Ruby | Medium since not many people write in Go |
| C# | No | Yes | Large | Slow due to too much library overhead | Hard |
| C/C++ | Yes – due to low level nature | Yes | Small | Fast | Hard |
| Assembly / Shellcoding | Yes | No | Smallest | Fastest | Hard |
Conclusion
%0|%0This is just the start. ⍝ ⍝