随着恶意软件拥抱 Rust，新的防御措施应运而生_AI阅读总结 — 包阅AI

In line with the cat-and-mouse nature of cybersecurity, threat groups over the past several years have taken to writing their malware in modern programming languages to leverage their cross-platform capabilities and to better evade antivirus and other security tools.

While more malicious code is now being written in Go, Python, and others, Rust increasingly appears to be the language of choice for many bad actors as they migrate away from C and C++. In a recent list of dangerous malware variants, cybersecurity firm ReliaQuest included the growing number of information-stealers – like Fickle Stealer and Rusty Stealer – written in Rust.

“Discussions about the most effective malware programming languages on online cybercriminal forums indicated that users prefer Rust for its ability to incorporate C and C++ code and for being difficult to reverse engineer,” Hayden Evans, cyberthreat intelligence researcher for ReliaQuest, wrote in a blog post, noting that from the start of 2022 to August, there was a 2,953% increase in the number of posts on online cybercriminal forums discussing Rust-based info-stealing malware.

Cybersecurity companies SentinelOne and Intezer want to tackle the issue, launching a collaborative project called OxA11C that they hope other programmers will join to create a methodology for simplifying the process of reverse engineering Rust.

Malware analysis is difficult as is – requiring that investigators determine the intent of the compiled code without having the source code in hand – and doing so with malware built on a new language compounds the challenges, according to Juan Andrés Guerrero-Saade, associated vice presidentof research at SentinelLabs, SentinelOne’s research arm.

“Our tools, already complex and brittle, often break when faced with new languages like Rust, which introduce novel ways to structure data, manage memory and return values,” Guerrero-Saade told The New Stack. “These foundational changes complicate reverse engineering, making it harder to recover the malware developers’ intent.

“Each new language not only demands that we update our tools but also challenges us to discover exploitable quirks within the language itself. Without these adjustments, attackers gain a significant advantage, hiding their malware in a confusing jumble of unintelligible code.”

The Challenge of Reverse Engineering

Another challenge is that the community of developers who work on reverse-engineering methods is small compared with those advancing programming languages and frameworks, Guerrero-Saade said, calling reverse-engineering tools “marvels of software engineering” that require constant maintenance and innovation to keep up with the growing number of languages, compiler optimizations, and architectures.

“As foundational software development concepts evolve, reverse engineering approaches must adapt with far fewer resources,” he said. “Rust introduces its own ambitious programming paradigm – with new challenges in memory management, data structures, and how functions handle data in the binary – widening the gap in our ability to effectively analyze compiled Rust binaries and increasing the likelihood of Rust-based malware slipping through undetected.”

SentinelOne and Intezer, who introduced the OxA11C project at the recent Black Hat conference, expect to have a clearer understanding of the Rust malware ecosystem before the end of the year, Guerrero-Saad said. The companies hope that a community-wide collaborative approach will accelerate the development and availability of simplified Rust reverse-engineering solutions by overcoming the relative dearth of developers focused on such tools.

SentinelOne and Intezer already are collaborating with binary code analysis firm Hex-Rays and Vector35, whose services include reverse engineering, vulnerability and custom software.

A ‘Unified’ Response to Rust Malware

Jason Soroko, senior vice president of product at cybersecurity company Sectigo, told The New Stack that the lack of mature reverse-engineering tools for Rust and other newer programming languages provides another layer of obfuscation to malware and adds to the reasons why cybercriminals are migrating to them.

“While there are some efforts to tackle Rust-based threats, such as community-driven open source projects and research from academic institutions, the collaborative approach of SentinelOne and Intezer’s initiative stands out,” Soroko said. “Their focus on creating accessible tools and fostering community engagement provides a more unified and potent response to the challenges posed by Rust malware.”

In addition, such collaboration is another step toward standardizing how emerging programming languages used by threat actors are analyzed, he said, adding that organizations need to remember that “the open source tools meant to reverse engineer Rust binaries can also be used by malicious actors to analyze legitimate Rust based software.”

Rust Popularity on the Rise

Rust has quickly risen in popularity since the first iteration was released in 2015, with about 4 million developers – who call themselves Rustaceans – in Q3 2023 embracing the language, tripling in number over the previous two years. About 17.6% of those not using Rust in 2022 said they want to start, according to Stack Overflow’s annual developer survey, drawn by its safety, concurrency, and performance features.

In Stack Overflow’s survey released in July, Rust emerged as the most admired language, cited by just over 82% of developers.

High-profile IT organizations like Microsoft, Amazon, Google, and Meta have adopted it and federal agencies like CISA (Cybersecurity and Infrastructure Security Agency) and DARPA (Defense Advanced Research Projects Agency) urging programmers to migrate away from C and C++ and to Rust and other modern memory-safe languages.

CISA has said that as much as two-thirds of all software vulnerabilities are the result of a lack of memory-safe coding, and DARPA – the research and development arm of the U.S. Defense Department – earlier this month announced its TRACTOR (Translating All C to Rust) program that will use large-language models and other machine learning techniques to automate many of the tasks needed to rewrite C and C++ code to Rust.

Cybercriminals Quickly Adopting Rust

Nicole Fishbein, security researcher with Intezer, said the cybersecurity community supports the shift as a way to eliminate memory-safety vulnerabilities.

“Our concern is that malware developers are embracing Rust more enthusiastically than the rest of us and our tools aren’t keeping up,” Fishbein told The New Stack. “The approach we’re developing is designed to analyze Rust-based malware, enabling the cybersecurity community to handle these emerging threats.”

There has been a learning curve for security pros to develop tools for analyzing new programming languages — and that curve created a window of opportunity for attackers, according to Ngoc Bui, a cybersecurity expert with Menlo Security.

“Rust also has cross-platform capabilities, so it can simultaneously target Windows, Linux, and ESXi computers,” Bui told The New Stack. “This efficiency is particularly attractive in the ransomware landscape, where maximizing impact is a key objective.’

‘AlphaGolang’ a Model for Success

SentinelOne and Intezer are hoping the OxA11C project will have the same success of SentinelLab’s similar effort to address the rise of malware created using Go. The result was the creation of the reverse-engineering methodology called “AlphaGolang.”

“AlphaGolang showed us that these shifts in programming paradigms aren’t entirely bad news,” said Guerrero-Saade, of SentinelLabs. “Once we understood the particularities of Go and adapted our tools to exploit them, many reverse engineers found that Go-based malware can be a lot easier to analyze than more established languages like C++.”

He added, “AlphaGolang helped raise the tide of competency, enabling more reversers and malware analysts to triage Go-based malware without needing to become niche experts first.”