In 1998 I had an experience that had a deep and lasting effect on me. At that time I was mainly engaged with of malware coding for personal growth. I started by reading the source code of a few publicly available trojans written in Delphi. When I learned how they work I build one myself at around 350k. It wasn’t perfect; keep in mind, though, that Delphi allows you to build powerful tools in virtually no time.

So I wanted to make this malware really good. I changed from Delphi to C and from around 350k it became 16k. The core was small and tight while all additional functionalities were provided as DLL plugins attached to the tail of the executable. So I had one keyhook DLL module and another one responsible for dumping RAS dial-up credentials. I had an infection mechanism and the rather cool for that time taskbar hide feature.

When I finished the malware I didn’t release it as open source although this used to be my plan. At that time I thought that it will be too unfortunate if I become responsible for someones network being subjected to external or internal attack. However, I shared my knowledge with others in order to help the improvement of the almost useless anti-virus scanners from 1998.

Today malwares are a lot more different compared to the ones I’ve been exposed to in the past. Joanna Rutkowska from invisiblethings.org did some quite cool and advance research on this topic. I recommend reading about her blue pill technology. Today malware is a lot different but noting new if you think about it.

It is not that I want to have new types of malware. Not at all! It is that I believe that a new generation is coming. Looking through the possibilities, this thought gives me the creeps.

So what is the bot of the future? I really have no idea although I can clearly see some things happening for sure. The bot of the future will be able to move across platforms and implementations freely. The bot of the future will be able to re-code itself and plug its destructive power in any device. The bot of the future will have eyes and ears. The bot of the future will be undetectable because it makes use of the current system in such a way that it leaves it without any doubt that something wrong is happening. This is an ultra bot.

I cannot tell how all this will be implemented but here is an interesting thought that may make you think like me. I said that the ultra bot has eyes and ears. So, how this can be achieved without using fancy drivers and extra software? Well, reuse the system components! The bot can use flash for that purpose for example. We all know that flash has support for video and audio recoding. When the user visits a page that has a SWF component that makes use of the peripherals a warning dialog is displayed and the screen asking the user to grant the necessary permissions. This is a good security feature that prevents everybody snooping on your life.

What ultra bot can do is to modify the flash settings in order to looses the security sandbox. There are several configuration files (mms.cfg and security.cfg) that can be created in your home folder to tell flash player to skip the warning and go head. This is how ultra bot can gain access to the camera and the microphone with a simple SWF file. In fact it can grant access to other websites you visit as well. Which means that once you start surfing the web, malicious websites will be able to see you and listen to you. How about that?

This is definitely a possible attack vector. Consider this, all modern laptops have builtin camera and microphone. On the top of that loosing the security model of flash may also grant local access to malicious sites as well.

I know that a lot of the readers may argue that there is no point in doing such kind of thing. I mean, if the bot has access to the file system it can do far more dangerous things than just breaking the immune system. But if the bot wants to be as stealth as possible this is what exactly it should do. Think of it like the HIV virus. You can have it for years and may also not be aware of it. On the other hand there are deceases that can kill you in days. You know about them as soon as you get them. Which model is better? IMHO the first one is what most attacker trying to achieve; long term gain.

I will wrap this post with this though: expect more. I don’t know how all that can effect the world so consider this as a security notice. What I hope for is to have the right cure at the right time.