Beginnings are often steeped in myth, legend and a good helping of storytelling, with malware being no exception to this rule. Way back in 1974, before many of our readers were born, malware was still in its infancy, with early pioneers inventing different types of malware to simply explore what could be done.

Malware spotlight: Wabbit

This article will detail the Wabbit type of malware and will explore what Wabbit is, the history of Wabbit, how Wabbit works, the fork-bomb Wabbit variant, and potential applications for this early type of malware.

This name is incredibly accurate for what this malware is, as it refers to the fact that rabbits reproduce very fast. Wabbit is the first self-replicating malware to ever exist (some historians will argue that Creeper was) and can reproduce so fast that the system it is installed on literally chokes as its resources are all used up by Wabbit.

Due to the rarity of Wabbit and some of its unique peculiarities, modern malware discussions do not mention it as a type of malware. Looking back at it historically, however, it is clear to see that not only is it malware but possibly one of the best, as it has solid potential as an educational tool and for historical purposes as well.

Wabbit is indeed a relic of a past computing age, essentially designed to take advantage of the way the IBM OS processed information. You see, IBM used to use what was called the ASP job stream, which would communicate with its console less and less as resources were consumed. Looking at this malware through modern eyes, Wabbit most closely matches up to the denial-of-service attack (DoS).

Wabbit is most applicable in the arena of computer science and information security education. While Wabbit can cause damage to systems, it is a relatively simple piece of malware that can be used to demonstrate process and program replication in education.

Computer science students can be given a time limit to stop Wabbit, where the natural end of the exercise is either stopping Wabbit or the infected system crashing. This would also have value in teaching students about just how simple malware can be and how you sometimes need to understand it to stop it.

Wabbit was originally meant to be more tongue-in-cheek than malicious. However, this malware can easily be programmed to not only be malicious but also to infect modern systems, making it a bona fide type of malware.

At this period in malware history, the Conficker Worm was one of the most complex, fastest propagating, and scariest worms in existence. Developed by Ukrainians, they were afraid to use it for any damaging effect. This meant is mainly spread, updated itself, and spread to more and more networks. There were a wide variety of confickers, detailed on sites tracking the different types. All (except for Conficker D) use the NetBIOS as an infection vector and begin upgrading themselves till they reach Conficker E, which then executes the malware. E will eventually remove itself, but D will remain on the machine. Below is a chart written by editors on Wikipedia that illustrates the steps of the Conficker Worm:

Cryptolocker is an example of early ransomware malware. A user would be infected by downloading a file and running it. Upon running, it would encrypt the hard drive and display a ransom message with a dollar amount attached to getting the data back. Cryptolocker was dangerous for its time, but not the most dangerous in existence. It generated enough fear to reach mainstream audiences.

Tara Seals US/North America News Reporter. (2014, August 26). Backoff malware behind thousands of pos hacks. Infosecurity Magazine. Retrieved July 21, 2022, from -magazine.com/news/backoff-malware-behind-thousands/

An example would be this: Lets assume you subscribe to a mailing list for private pilots. Said mailing list gets hacked by malicious actors, and the entire email list is compromised. A few weeks later you start receiving emails from what appears to be the mailing list owner, with attachments, you assuming it is legitimate decide to open the attachment and end up getting your computer infected with malware.

Another example: you work from home as a payroll specialist for XYZ corporation and manage their banking information. An attacker knows this information since he used whaling or vishing to gain this information from another member of the company. With that information he attempts to impersonate another payroll specialist and have you either A: run an attachment with malware or B: process a fake invoice that is deposited into said attackers bank account.

deceptive blockers, which are either actualmalwareor operate a paid whitelistingscheme.The best-known paid whitelisting scheme isAcceptable Ads from Adblock Plus, which isdisclosed to any user who is willing to scroll downand click on the gray-on-white text on the AdblockPlus site, but not anywhere along the way of thedefault extension install process.

Maybe make that three reasons. As long as Internetadvertising fails to pull its weight in eithersupporting news and cultural works or helpingto send a credible economic signal for brandsthen the scams, malware and mental manipulation willonly continue. More: World's last web advertising optimist tells all!

Is anyone speaking up for web advertising?Not really. Where advertising still has a policyvoice, it's a bunch of cut-and-paste anti-privacyadvocacy that sounds like what you might get fromeighth grade Libertarians, or from people who are sobad at math they assume that it's humanly possibleto read and understand Terms of Service from 70third-party trackers on one web page. The InteractiveAdvertising Bureau has become the voice of schemesthat are a few pages of fine print away frommalware and spam. By expanding to include memberswhose interests oppose those of legit publishers andadvertisers,and defending every creepy user privacy violationscheme that the worst members come up with, anorganization that could have been a voice forpro-advertising policy positions has made itselfmeaningless. Right now the IAB is about as relevantto web advertising policy as the Tetraethyl LeadIndustry Association is relevant to transportationpolicy.

Yes, people want to see fewer annoying ads. Andnobody likes malware. But people are also interestedin protection from tracking. Some users even puttracking protection ahead of malvertising protection.

The target in this campaign is an advanced persistent threat that served as the infrastructure of actors that launched targeted attacks against multiple organizations around the world. This month, the MSRT along with all of the partners in our Virus Information Alliance program are releasing new coverage for this infrastructure: Win32/Hikiti and some of the related malware families, Win32/Mdmbot, Win32/Moudoor, Win32/Plugx, Win32/Sensode, and Win32/Derusbi.

Once this threat successfully enters a system it can install other malware. In some cases other malware are installed first and then install other members of the group. This can include the following, mostly backdoor malware families:

Some Hikiti versions drop an encrypted configuration (.conf) that contains the hosts that the malware tries to connect to. The encryption is usually XOR and the key is DWORD. Figure 2 shows an example of this .conf file being decrypted: 2ff7e9595c