ThreatLocker CEO Outlines The Perfect Malware Attack
‘Malware is just software. So if we want to create successful malware what we need to do is create successful software,’ says Danny Jenkins, CEO of ThreatLocker.
Malware is just software, and so creating a successful malware attack is really just creating very good software, according to Danny Jenkins, CEO of cybersecurity vendor ThreatLocker.
Jenkins spoke to a room full of MSP executives at the XChange NexGen 2023 conference in Houston this week. The event was hosted by CRN parent company The Channel Company.
“Everytime you open software on your computer, whether that software is running as a local admin or whether it’s running as your local user account, that software has access to all of the data that you have access to,” he said.
“At one point, attackers would add a bad piece of code and put good code around it.
“Every time it’s distributed, the good code would change and the bad code would stay the same,” said the co-founder of the Orlando, Fla.-based company. “This made it much harder for antivirus companies to detect your malware. So what they started doing was taking a few bytes from the middle of the file that was the bad code and then they would scan through it. It would scan through and literally check every piece of code. This is when the antivirus went from being really efficient to really slow.”
The first step to writing successful malware is to write unique code and create a reverse shell, which gets around network security.
“Now the interesting thing about when you use API is every time you generate that code, it’s different,” he said. “The functionality is the same, both pieces of code are functionally the same but also very uniquely different. When you compile that code, it’s not on any bad list.”
The point is, he said, if unique code is written it is less likely to get detected.
The second step is to use an app icon as Jenkins said it will determine if something is a good application or a bad protection.
“How does an antivirus determine if something is good or bad? One of the mechanisms it uses is scoring,” he said. “It can [determine] if there’s copyright in the description.”
There’s two advantages to using an icon: it’s going to score higher so it’s less likely to get detected and users are more likely to click on it.
The CEO also suggested using a local server, in the United States or in Canada, “as you’re less likely to get tripped as malicious software.”
Jenkins suggested encrypting files, but he said that is getting more and more challenging the more files are changed. “The EDR (endpoint detection and response) says, ‘Oh, you changed the files. Let me shut you down,’” he said.
The next step is to run a trusted system area.
“Programs that run in the downloads folder have a higher probability of being malware because there’s a user that put them there,” he said. “Programs that run in Windows are less likely to be malware. When you push your malware into those folders, if you can, it’s less likely to be detected by the EDR or the antivirus.”
Seth Kilander, CEO of Denver-based Ki Security and Compliance Group, said Jenkins always changes things up and is always exciting to listen to.
“He’s always bringing new content and kind of showing the tricks he always uses or has used in the past,” he told CRN. “He made a comment about how different elevations within the system allow a certain type of access that he’s actually never explained before. That is an entirely new reason to actually pull up their software and to look into it.”