Stealth is the best camouflage of most modern malware. Unless, that is, you are talking about ransomware - which wants to achieve the exact opposite of stealth. In any other cases, anything that makes a malware stealthy is considered desirable. At G DATA, a researcher came across a sample which breaks some of those rules.
Programming malware is an art that not everybody mastered (or wants to master). In a time where readymade malware kits are available, extensive skills are also not necessary. If you would still like to write your own piece of malware you do mostly need good programming skills to create a working piece of malware. Why "mostly"? There are tools which are intended to be used by developers who want quick results without the having the required level of knowledge.
AutoIT is one such tool. The AutoIT scripting language allows you to create programs with very little effort. While it is primarily used as a tool to help network administrators automate everyday tasks, it can also be used to create and compile more complex programs. AutoIT has very strong ties to BASIC, a programming language which is at the foundation of many modern applications. The first home computers had BASIC preinstalled. It was also often taught in computer classes in school.
One of our researchers has come across a malware sample which was written in AutoIT. It is not uncommon to find this type of thing, but the sample that sparked his interest was peculiar in several ways. In most cases, malware authors have a strong motivation to make the program start on the first try and to run its malicious routines.
This exponent will not run its routine until it has been started three times. There is no apparent reason for this approach. It might have been intended as a precaution to prevent the program from accidentally running on the system it was developed on. It might also be a rather crude attempt at sandbox evasion.
Many of us have had some contact with this sales model without being aware of it. In simplified terms, a company who wants to sell goods or services makes contracts with advertising partners who put advertisements on their websites. For every customer who clicks one of those advertisements, the partner is paid a commission. To distiguish between the advertising partners, each one has a unique affiliate ID which can be put in a link. As soon as anyone clicks the link, the company instantly knows on which website the link was clicked and which partner therefore receives a commission. In many cases, those commissions are paid on a "per click" basis. Naturally, there is a motivcation to try and automate clicks and increase payouts. However, those affiliate partnerships can be terminated very quickly as soon as it turns out that those clicks are not, in fact, organic and not performed by a human.
The malware appears to primarily target users from China. The objective it to increase the number of clicks on certain websites. The business model behind this is called "affiliate marketing". In simplified terms, a user is directed to a website in a way which signals the web server "this visitor comes here thanks to the recommendation of partner X". For each automated click, a certain commission is paid to the author of the malware. So each click equals real money - the more clicks are generated, the more money the attacker receives.
If you are interested in further technical details of the malware discussed in this article, you can download the full analysis report by Nathan Stern using the link below.