Starting Malware Development
16 min read
After spending years in MEV and web3 infosec DeGatchi explains his reasoning behind switching to malware development. Although seemingly less money and entering an alreaedy mature field, it's clearly the most powerful long term decision to be made -- especially when combining malware development with custom evolutionary AI algorithms.
Underlying Philosophy
To Build Or Break
Chaos is merely order waiting to be deciphered.
I had this conflicting belief that I want to build things that push technology to the next level but I couldn’t think of what that would be. Cybersecurity is the only extremely fascinating world for me because it’s the perfect playground for an unending complex set that is interrelated to everything else. There is so much to learn that you can’t be “done”, especially since everything evolves and gets better and new systems arise.
Theoretically, it is quite perfect for my ADHD brain. Continuous problem solving. And this ties into math as well — thinking from many, what seems at first, illogical perspectives to understand the system better than the creator to bend it to make it do things it wasn’t intended to do.
AI Malware Preview
Imagine having some sophisticated viruses on your laptop that have all your sensitive information and data. These are created by domain experts, honing their crafts for years to decades. Now imagine if this system could adapt on its own. Learning how to evade, mutate and replicate on its own, having complete sovereign autonomy about changing its goals as well. Does this not terrify you? It better because it’s a clear future. Cybersec is going to become so god damn scary in the future and the division from script kiddies to nation-states in their beds will be enormous because of the intersection of mathematical literacy and cybersec mastery.
If you thought covid was bad wait until someone develops a fully autonomous piece of malware that mutates to shut down power grids of countries and switch off hospitals and critical infrastructure. Imagine when a GAN-based malware generates a fraudulent passport ID and gets into the government system to make fake identities to then social engineering with advanced LLMs, all until your bank is drained and you can’t pay rent. What then?
AI has brought us into the age of 1984 by George Orwell and you have been shown the door but you must walk through it. Would you rather be in control of such a weapon or at the mercy of whoever controls it, knowing that you could of done something earlier to protect yourself, e.g., learn AI and cybersec.
Forcing Coevolution
A much better AI would have to be used to stop the malicious AI. The best way to improve a system is to exploit it, finding the flaws and patching it up to make it stronger, more resilient and have a deep understanding of itself — similar to discovering the true person behind their facade is to find their flaws, cracks in the mask.
If the USA didn’t have such a strong military (civilians with guns + everything else) then it wouldn’t have become a global power and enabled free speech to the maximum of what it is now, cultivating an environment for fucking around and finding out. Without security, there would be anarchy. Big Brother controls the world because of security. To unlock free speech and privacy cryptography is needed. To have a system get stronger it needs to be pried open at every crack to remove the weakest link. What’s the point of a tank if an FGM-148 Javelin spearheads it from above, aka its weakest link?
It would be impossible to study level 4 airborne viruses and level 3 viruses without having the necessary security to ensure the experimentation doesn’t leak! And so my point is: to develop the most advanced AI that can evolve it needs to be able to find vulnerabilities in the environment and itself and exploit them to know what to adapt to as evolution is directed by the environment. Militaries adapt to technology because it becomes an unfair advantage. They evolve to the adversarial environment.
Wild West Skill Ceilings
When I was doing web3 automated cyber I hit a skill ceiling quite quickly where to become more advanced I would need to bring in mathematics. Still, even with mathematics, the underlying problems to be solved were minimal. Only a few architectures, most of them replicas of the original with some slight changes (think of EVM vs AVAX vs Solana) and the smart contract languages were almost identical unless they were based on completely different languages (Solana’s Rust vs EVM’s Solidity). The types of attacks were very limited and only looking for financial gain (or preventing the movement of money).
For example, when I created my exploit generation tool there was really only 1 thing to optimise for: permutations of repeatable functions to result in largest amount of money. And then the only other interesting things are code generation, operation security to hide IP, mixing your laundry and everything else unrelated to the actual exploit itself — it all just went back to web2 things and the programmable exploit was really quite underwhelming with complexity and impact beyond money. If money is the end goal web3 is the way but if information, complexity and IRL impact is the goal then definitely web2.
If you want to get financial gain in malware you can go phishing, flirt your way into the mainframe (social engineering), learn encryption with ransomware and create a virtual avatar that speaks to the host w/ GANs or spreads to every computer via social networks to just troll and if you wanted to make money just target crypto traders or do bug bounties. Money is everywhere if you can dig accurately with your skills.
I’ve always been attracted to malware because of the diversity of attacks and environments (operating systems + their versions, larger instruction sets, network + computer architectures, programming languages, problem settings (HFT, enterprise, other hackers), etc). The hacker vs hacker factor is probably one of the most fascinating parts of it. It’s quite literally the most raw anarchist wild west environment anyone can participate in, which is what makes it so powerful and so intriguing. You can choose to be a bounty hunter, troll a friend or straight up hack an entire country and destroy their nuclear weapons facilities (literally, yes, this fucking happened w/ the Stuxnet virus on Iran)
Although entirely dangerous it would be the most interesting — think of the dark web vs surface web. The stories associated with malware are way more fascinating than web3 cyber — at the end of the day a true hacker gets to a point where money isn’t a motivator :)
I think the factor of creating a Wild West identity is also quite cool. You can either be truly feared or be seen as a hero and have these blackhats after you. It opens you up to the harsh realities of the world, the madness of the human mind in the form of intellectual expression. You won’t find a dumb cunt causing very sophisticated global damage. No, this is a very intelligent being who chooses the dark side, which in many cases they see as good. You’ll eventually come across hitmen for sale, uncover disgusting chat rooms (like nth rooms), weapons dealers, drug cartels, and everything under the sun in this world. The curtain is pulled and you choose your destiny.
Power > Finance
And so, my learning pathway is extremely clear. The only other substrate to experiment with AI on is finance but the problem is much smaller and beyond money there is no other gain while being a negative sum game. Building a system that doesn’t work is a waste of time but in infosec, that system would inspire a new system or the next evolution. You could make the argument that it’s the same with finance but if it doesn’t work right there and now it just won’t be useful unless you keep slamming it whereas cyber if there was an update then you think would still work before the update and there will most likely be some users in the world that use it (especially enterprises).
There is no real self-sovereign power that can take down nations in finance. You get money which is used to exchange for power but infosec is both the money and the power combined because of the deep understanding of what society is using as crutches, and it is more mathematically complex (think of multi-objective optimisation relative to a single objective) and therefore more problems and solutions to mess around with.
Speaking of HFT/MEV, packets being sent across network switches and routers are exactly like MEV. You can intercept the information and build up the entire information just like you build a block or adjust your transaction sequence based on a new normie trade that just appeared!
Also, finance relies heavily on insider information whereas cyber is about reverse engineering and walking through blackboxes. In finance, there are 2 categories: public info and insider info and you’ll always lose to insider info even with the perfect system. I find the problem space of cyber far more interesting because of its diversity and impact on everything, e.g., shutting down a power grid in a country relative to making $100k USD on a trade.
This was from DEF CON 24 - Chris Rock - How to Overthrow a Government ‘s slide show. C’mon, this is quite nuts to think about that the US intel director says cyber espionage is 2nd in 2016 — its fucking 2024 it must be #1 now, especially since ISIS are just randos flailing around guns and explosives. Coordinated attacks from intelligent people who have years to plan the perfect heist or hack is FAR more dangerous — especially since they can basically wreck a country from their toilet while taking a shit.
When I spoke to world-class hacker Chris Rock (see Darknet Diaries episode) he gave me really good advice: “be the expert and people come to you.” it doesnt matter if you build a fully offensive virus that has no legal use case — there is value in that and people will come to you for your services. be public about your progress, become the fields expert and you’ll be the goto contact for everyone. “You don’t want to go faster than what you’re dong now because you’ll otherwise have imposter syndrome and burn out. focus in on [my] interest per day [..] don’t skip stuff because post 30 [i’ll] be like “fuck” that would been handy now” like understanding how people move money overseas OTC and how even buying bank accounts overseas work.
Cat & Mouse Community
The worst thing with HFT/MEV is that no one opens up about the math they use or anything interesting to reduce the risk of alpha leak, even if to them it doesn’t seem like it because they may be creating a competitor + all NDAs. But in cyber people are curious to learn more. It’s inherently a game of wanting to deeply understand therefore community and sharing are much more prevalent. And I think this makes it much more rewarding to pursue as well. Lives depend directly on security, even if they don’t notice it.
The understanding is important too because it forms the foundation of society. In finance you’ll rarely master all parts of the system but those that apply instantly because you need to make money ASAP instead of research and become untouchable. People in cyber make databases of zero-day exploits waiting to use them on other nations with one big attack! How crazy! So you could realistically perform a zero-day storage heist as well. There are just so many possibilities for cool as fuck stories in cyber — if you need some convincing listen to Darknet Diaries, seriously.
There is even a Superbowl for hackers with Devcon and Blackhat (the event)! So many amazing stories and people show up from varying lives, literally blackhats to FBI agents — it’s quite interesting game theory-wise when networking and presenting new ideas. I remember hearing some stories of presenting an idea and a black hat team would change their tactics of a virus right after or during the presentation! So much more exciting than anything else and the concepts apply to biology and any other field — for whenever there is creation there is also destruction (security).
It’s Only A Skill Issue
I think the most fascinating part about this whole field is that if you get good at your craft and become a real threat then you will be approached by the government or some high-status people. I think I’ve met 4-5 people now been approached to contract with govs and it’s all because of their cyber skills. It’s just so powerful that people are on the hunt for this talent. You can just get fucking good at building evasion tools and infect everything and you instantly set yourself out from the rest.
It’s a non-conformity-based environment by default so you’re only limited by your creativity and imagination which, let’s be real, can quickly set you apart. Therefore, travelling the world to meet the people who control the world as a mercenary, expanding your network and rising to the top where the elite depend on you is a fascinating dynamic. And the best part is that it’s just a skill issue. There’s no unfair advantage with networking/business connections or insider information. It’s all out there. You simply have to get gud, loser.
How I’m Learning
Setup
I have an m2 max macbook atm that is very powerful however uses ARM architecture. I remember I wanted to do malware dev around ~2 years ago but the friction to learn was so strong because all of the tutorials are x64 based and the conversion at the time for VMs didn’t exist I don’t believe. I realised during the past couple of weeks after speaking to Chris Rock a hacker I respect, that a machine is just a tool and should be treated as such to do the desired job. So I decided to pull the trigger on buying a Framework laptop over the Thinkpad Carbon x1 because of modularisation — upgrade to newer RAM and CPU when they come out instead of dropping a couple thousand on a new machine.
And I spoke to @lcfr_eth who mentioned he runs 20 VMs at a given time and another fren who runs ~5 VMs at a given time for simultaneous testing w/ a different anti-virus in each VM to see the dif between malware progress.
I have one with sophos, one with crowdstrike falcon, one with kaspersky, one basic defender and one with sentinelone
To add onto this, if you only use 1 VM you’ll just have a significantly slower debugging experience, especially if you’re testing AI-based malware because you’d have to run it on each instance instead all concurrently at once. And trust me, AI training aint that fast so you’ll be sitting for a while and if you fuck up a little bit you’re doing the whole cycle again, lol (lmao even).
Anyway, each VM has around 4GB RAM allocated so 20 GB for 5 VMs or 100GB for 20 VMs and I thought, yk 96GB DDR5 5600MHz is pretty fucking good for a laptop that I can upgrade.
This actually made me very curious about VM escape malware because it seems that cyber relies super heavily on VMs so if you can escape them you’re a lot closer to taking over the machine — and I’m especially curious about it because I wrote my EVM when I was writing my exploit generator in web3, and OS VMs seem like a really fun progression.
Malware Dev
The biggest reason why I decided to get a native host Windows x64 intel chip instead of just running VM fusion on my Mac is because I want to fully immerse in the instruction set natively on my machine and make fuck-around projects without VM fuckery. I want to be able to explore without waiting for loading — essentially removing friction. This has always worked for me — going all in or nothing, full commitment.
I did come across a nice Reddit post that resonated:
I’m personally going to go through all of Maldev Academy and all of Crow’s malware videos. The x64 is a prereq for all these tutorials. When you get cracked at x64 architecture you’ll be very familiar with the core architecture for many enterprises and govs and you can easily upskill into ARM later on anyway.
The world of malware is a cat and mouse game where both paries are coevolving so one doesn’t gain dominance over the other. Blue team use forensics and analyse malware and maldevs have to evade this detection and be as perfect as possible to leave no trace, they have to be perfectonists otherwise its jail time :) My fren AYC recommended this https://www.sans.org/digital-forensics-incident-response/ as most people would just do this course — most of forensics relies heavily on tooling and so the goal is usually trying to obfuscate so they don’t get picked up by endpoint detection and response software.
The final part I want to mention is that creating the malware is the easy part. Avoiding detection and bypassing anti-virus software is the cat and mouse game — where the coevolution occurs. This is what makes it a never-ending game with such diversity. People make their custom detectors, some use commercial ones. Once you get passed the defences it’s game on for creative trojan propagation and whatever else you want. You’re not limited to a single kind of malware its really a sandbox with unlimited toys, castles to crush, and participants to team up or fuck with.
Final
Hopefully this inspires you to pull the trigger on malware development too. It was something I was curious about for years but never pulled the trigger until now. I always thought cyber was cool as fuck but web3 got me a bit bored of it. If theres any advice I can give you its this: fuck around and find out. Buy a laptop and experiment for a month. If you don’t like it then the cost of drawing out one option was the laptop and if you do like it then gg. I’ve met too many people that have reached high places but just shitting on blue team software and just doing cool shit. If you want to tell interesting stories to your kids then welcome aboard, space pirate.
Also as a side note. If an AI system gets really good at finding vulnerabilities and this skill can be transferable to another domain, e.g., robotics with the world, that would serve as a super interesting case to see what’s possible — probably would become a cyberpunk society at that point. Even aiding you with your problems as it watches you explore the internet. Like a really intelligent clippy. Eerie if you ask me.
Share this Article
Recent Articles
-
Generating Custom Assembly Smart Contracts
2 years ago I wrote a component that allowed me to generate any custom assembly smart contract on the fly to automatically create exploits without needing to do any manual work. I had a montiroing system that would provide the inputs and the bytecode generator would chug along and spit out an executable program that I could deploy and call on with a bundle of transactions. In this article I'll share the core of that codebase to get you up to speed! Buckle up, anon. There isn't any other article like this revealing these trade secrets!
-
Baiting MEV Bots: UniV2 Token Trapper
So many MEV bots take money from people but why don't people take money from them? I always thought about this when I was in my web3 cybersec assembly arc. I got quite fascinated with reverse engineering them and the contracts they interected with and realised there are some interesting things you can do with the uniswap code, since it has a few assumptions with the tokens you provide to create the pairs. Although not very practical it's definitely an intereting thought experiment that can provoke some further creativity!
-
Understanding Gradient Descent
Machine Learning (ML) and Artificial Intelligence (AI) relies heavily on this very intuitive differentiation-based algorithm called gradient descent. It gets us closer to our desired minima or maxima by starting with a value and adjusting that value based on the change of our gradient. In this article you'll learn to understand what is gradient descent and all the component apart of it. And then explore a few modifications of it from simple to advanced to solidify your understanding!