One thing that disturbs me is how people classify some malware by how surprising large the file is, how many libraries it uses, etc. In many cases, this just means the malware has inefficient code and all the tools are available to easily convert the binaries back into human-readable pseudocode. Let’s look back a bit to put things into perspective:
The first PC virus (back then almost all malware were true viruses) I analyzed was Tequila, after my own system was infected by it. It was 2,468 bytes in size, one of the first widespread polymorphic viruses, and pretty complex. Do you think I’m kidding when I write “complex” for a 2.5KB file? It was just highly optimized, written in pure assembly code. Well, times have changed. Modern operating systems provide all sorts of APIs, drivers for different hardware, etc. So let’s see what is now possible with 4,096 bytes of executable code, roughly one page when printed on paper:
Currently there is a competition among coders and artists going on in Saarbrücken, Germany; here is the 4k category. There are 12 entries in total and the stream is a bit broken after the second entry, so just skip forward if you don’t happen to like one piece. Make sure to check out the last couple of entries at least!
Yes, these are extreme examples of programming, produced by highly talented and experienced people. Free and for fun. Expect attackers to also employ high-caliber programmers to achieve their goals. So keep in mind that pure code size doesn’t really matter. The SQL Slammer worm was only 268 bytes, by the way.
Disclaimer: The video is a live stream from the event posted by the organizers, this author doesn’t necessarily condone any messages or other positions that are displayed or expressed.