Symantec blocks nearly 1 million new malware variants every day. Few stand out from the crowd, but very occasionally we come across examples that are memorable for reasons that may not have been intended. Whether it’s accidentally revealing the author’s identity, leaving the decryption key on an encrypted computer, or just plain ineptitude, here are some of the funnier malware goofs we’ve encountered.
Blaster master meets disaster
If the first thing a piece of malware does is create a file called “penis32.exe” you can safely bet that the author is a teenager. That turned out to be the case with the author of Blaster.B (W32.Blaster.B.Worm) a variant of the Blaster Worm. Shortly after the original worm was released, 18-year-old Jeffrey Lee Parson released a modified version of the worm designed to infect compromised computers with a backdoor Trojan.
Within days, the FBI had tracked Parson down. The investigation was aided considerably by Parson’s ineptitude. A website that the malware contacted was registered using Parson’s real name and address. If that wasn’t enough, the IP address he used was traceable to his father’s broadband account. He was quickly apprehended and, in 2005, was sentenced to 18 months in prison, three years of supervised release and 100 hours of community service. The authors of the original worm were never brought to justice.
Scary name, not-so-scary payload
Less-skilled malware writers will often try to compensate for their poor technical skills by giving their creations menacing names. Nazis, Satan and Weapons of Mass Destruction (WMDs) are often favored sources of inspiration. That was the case with Hitler ransomware (Ransom.Hit). Using a picture of Adolf Hitler in its ransom message, it informed victims that they had been infected by the “Hitler Ransonware” [sic] and their files had been encrypted. However, the malware didn’t encrypt any files, presumably because this was beyond the capabilities of its authors. Instead it simply removed the extensions from files in a range of folders. After an hour, the malware crashed the infected computer and deleted all files from the User Profile folder after restarting.
The Hitler ransomware authors demanded €25 in pre-pay cellphone credit as a ransom, but anyone (if there was anyone) who paid the ransom wouldn’t have received a decryption key since there were no encrypted files to decrypt. While the malware does delete the victim’s files, they may be recoverable. As with some of the files targeted by the recent WannaCry ransomware, the fact that they are deleted rather than wiped means they are potentially recoverable using an undelete or disk recovery tool.
A reference in its code to it being a test led to some speculation that it was an unfinished version of the malware. If it was, the finished version has yet to see the light of day, which is hardly surprising for people who couldn’t even spell “ransomware” correctly.
One small oversight
A far more professional piece of ransomware was CryptoDefense (Ransom.Cryptodefense), which appeared in 2014 and was one of the first of the new breed of crypto-ransomware families that have mushroomed in the past number of years.
CryptoDefense included all of the usual elements that make crypto-ransomware devastatingly effective. It employed strong encryption, which can make the victim’s files inaccessible without a decryption key, and Bitcoin payments, which provide a relatively anonymous means of ransom payment. Analysis by Symantec found that its authors made $34,000 during the first month of distribution.
So far, so good. But the authors made one mistake. The encryption method they used left a copy of the decryption key on the victim’s computer. Anyone who knew about this would be easily able to decrypt their files themselves, the ransomware equivalent of leaving the keys in the ignition. Back to the drawing board…
Too clever by half
During 2012, the Remote Control Virus (Backdoor.Rabasheeta) caused quite a stir in Japan. A number of people were arrested after death threats posted online were traced back to their computers. However, further investigation revealed that those arrested were innocent. Their computers had been infected by the Remote Control Virus, which hijacked them and used them to issue the threats.
A few months later, someone sent an email to a lawyer claiming to be the malware’s author and offering proof in the form of a “How To” manual for the attacks. What followed was a lengthy cat and mouse game involving the malware author and the police.
A month later, the lawyer and a number of journalists received an email from the same person, claiming that they had made a mistake that would allow the authorities to track them down. The email contained an attached image with faked Exif data, designed to fool the police about the attacker’s location.
By the end of 2012 the police were no nearer to catching the Remote Control Virus author and offered a reward of three million yen ($27,000) for information that would lead to an arrest. In January 2013, the attacker sent more emails to the media, this time containing a series of puzzles. Solving the puzzles would provide the location of a cat. Bizarrely, the puzzles did indeed lead to a cat on the island of Enoshima. In the cat’s collar, the police found an SD card containing the malware’s source code.
However, the malware author had slipped up. He didn’t realize there was CCTV in operation when he approached the cat. The footage allowed police to identify Yusuke Katayama, a 30-year-old Tokyo IT worker, who was subsequently jailed for eight years.
Not so stealthy
A number of companies develop spyware that is sold to governments and intelligence agencies. Most keep a low profile and their tools contain few traces of who created them or who is using them. When a remote access Trojan (Android.Mobilespy) was first discovered it contained few clues as to its origin, other than some evidence that it had been developed by Italian speakers.
Sometime later, two independent analyses of the malware revealed an operational security faux pas: the Italian company that created the malware had accidentally left a URL in the code that redirected to the company’s own website.
One very costly typo
The cyber attack that led to the theft of $81 million from the Bangladesh central bank was one of the biggest bank heists in history, so it may seem odd to list it among malware goofs. However, the attackers could have potentially stolen a lot more if their spelling had been better.
The attackers used a range of malware to compromise computers at the bank and initiate $951 million in fraudulent transactions. Four transactions, totaling $81 million, were completed, but the next one, for $20 million, raised a red flag. The attackers were attempting to route the money to a fictitious NGO in Sri Lanka called the “Shalika Fandation” [sic], but had misspelled the word “foundation”. This typo, along with the unusually large number of payment requests to private entities, raised suspicions and led to the Bangladesh Bank blocking the remaining transactions.
I’ll get you next time!
On occasion, when a security firm stymies the work of malware authors, they’ll retaliate by incorporating taunts and insults into their code, knowing they’ll be found the next time the company’s researchers pick apart their work, e.g. “Symantec does group masturbation” or “Symantec team is a big hen-coop chicken smart” (your guess is as good as mine).
One of our favorites was this defiant note:
Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. F@?k you a**^$les, especially Stephen Doherty who is the biggest f@??#t I know of.
That malware authored by that individual has since disappeared without trace.
If you want to read more about malware mistakes, take a look at this white paper.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.