 vaccines do not only exist for medical purposes. They are actually also there to protect against malware. So these are so-called malware vaccines. And just like their counterparts in medicine, they apply harmless parts of the malware to protect the system. But in contrast to vaccines in medicine, they do not improve the security response of the system. Instead, they trick the malware to believe that the system is already infected or they trick the malware into malfunction. Now in 2012, there was a paper by two researchers. Their names were Wichmann and Gerhard Spadilla. So they were German and they investigated automatic extraction of infection markers so they can generate vaccines against malware. And well, Wichmann and Gerhard Spadilla, they created a taxonomy of infection markers. This taxonomy is one I use as a basis and changed around a bit so we can apply this to malware vaccines in general. Because infection markers are not the only ingredient that can make a malware vaccine. Vaccines can exploit malware. They can feed data to the malware so that the malware crashes or malfunctions doesn't work the way it was intended to. Let's say you have a buggy remote access malware and it writes the C2 server into the registry. And once this registry entry is set with the C2, it will never be changed by the malware. Now let's say you apply this C2 yourself and put one in that doesn't work so the C2 can never communicate with that. So now the malware thinks it has already set the setting will never change it and there's never a C2 server that can actually control the malware. In that case, you have a vaccine that essentially makes the main functionality of the malware not working anymore. So it cannot cause harm anymore. But it's still active and it's still on the system and may still have persistent and so on. In August 2020, there was a blog post about EMO crash vaccine that was published by James Quinn. And this vaccine creates a buffer overflow in EMOTED which is a very good example of this kind of malware exploitation. But apart from those from infection markers and exploits, vaccines can also use system exclusions that are done by the malware. So malware may not only check for infection markers, it may also check for let's say the developer of the malware will exclude their own development system so that the malware in case they executed that the malware doesn't harm the system it's developed on. So this is something you can use as well as certain regions languages that are excluded by malware. So oftentimes you see malware that doesn't infect systems that have Russian, Ukrainian, Kirolyk keyboard settings. And if you use that as a vaccine can also work if you trick the malware into believing this setting is there. Same could be done with VM checks. So malware that does not run in a sandbox or in a virtual machine just pretend your system is a virtual machine. Malware doesn't work anymore. So those are possible ingredients. So back to the paper. As I said, I created a taxonomy that's a bit similar. So let's take a look at that. Firstly, vaccines can be distinguished by the locations they are applied to and the lifetime they have. The infection marker or data introduced by the vaccine can be in the registry, in the memory or on the file system. Lifetime refers to whether the changes done to the system are volatile or permanent. Volatile changes, for instance, mutixes will be removed after reboot. That means vaccines based on volatile data need to be reapplied, whereas permanent vaccines stay on the system. The location of the vaccine marker check in the malware code is important too. This check can be done by any part of the malware infection chain, which has implications on the protection quality. If the installer checks the marker and not the main payload, the vaccine will not have any effect on different installers for the same malware, and installers are often the first thing that changes, making the vaccine less likely to last. If a later part of the infection chain does the marker check, earlier parts can still perform undesired system changes. So there are pros and cons. Four, the time of the marker check is relevant for the protection quality. Malware may check only once or continuously. In the later case, the vaccine will have to shut down malware on already infected systems. But it also means the malware can reanimate if the vaccine somehow gets removed. Vaccine markers can be static or dynamic. A dynamic marker is calculated per system. For instance, a malware may generate a mutex or filename based on system information. So it generates a different one for each system. Dynamic vaccines need to use the same algorithm to generate their markers. Static vaccines, on the other hand, apply the same marker for every system. Static vaccines generally are easier to extract automatically. As already mentioned, the vaccines themselves can either deliver bad input that causes the malware to malfunction. They can be based on exclusion techniques of the malware or on malware infection markers. Finally, we can also distinguish vaccines by what malware function they actually prevent. Infection markers generally prevent persistence, but vaccines can also render other functionality ineffective. That is, for instance, the C2 communication or ransomware encryption and so on. Let's now take a look at an example vaccine that John Parole and me created for stock DJVU ransomware. This vaccine creates a file with a specific filename that is used by stock ransomware to save the encryption key. Our vaccine places an invalid key in this file that will cause the ransomware to fail and tries to encrypt files. Thus, it does not prevent infection by the main functionality, which is encryption in this case. This vaccine is static. The same file with the same content is placed on every system. It works by delivering bad input to the ransomware. It places something on the file system, and this is a permanent change. It affects the main payload of the malware infection chain. I'm not sure how often the market check is done, so I'm leaving that out. But generally, stock does not stay on a system anyways after encryption is done, so the market check has no actual influence here. So to sum this up, what are the pros and cons of malware vaccines? One major advantage is that vaccines work passively. They have no performance impact in contrast to, let's say, signature scanning. They work independently from any kind of obfuscation packing entire reversing techniques. Some vaccines can help on already infected systems and networks. This is especially useful if you want to contain an outbreak of a worm infection in a network and cannot turn off all machines connected to it. Actually, this is probably one of the distinct use cases where vaccines really shine. A huge disadvantage is that systems with vaccines on them look infected. That has some bad effects. That is, for instance, with cross usage of anti-malware scanners, which will determine that your system is infected and remove the vaccine. The user, on the other hand, will think their anti-malware product was unable to protect them from a persistent infection. Even worse, it may seem that the system gets reinfected all the time if the vaccine is automatically reapplied. Some vaccines can have side effects if they rely on system changes that have an effect on how the system works. For instance, a crew generic vaccine could change your system language to Russian because some malware families will not infect such systems. But I doubt many users would be okay with that. Lastly, vaccines are generally silent. That means the users will not even know their system was protected by the vaccine. They will not learn that their actions, like downloading and running a certain program, cause a malware attack. They will not know that installing the vaccine did any good for them. It is a little bit like doing things proactively for your health. You will never know if that worked and that's why many people don't do it. There is seemingly no reward. So by the way, I think if you want to train your malware analysis skills and you look for tasks, goals you can do to train them, try to find a new vaccine. It's, I think, a great way where you can use a lot of your creativity to find something that would work because the possibilities you have, well, of course, they depend on the malware. You can find some where it's very easy to extract a vaccine. But for some others, it might be more difficult and you need to look more. But it's a good idea if you need something, some goal to work on. So yeah, also research on malware vaccines. I haven't found a lot of papers on this. So if you are trying to find a thesis topic or something in that direction, some research topic, maybe look into that again. So try to find something. And if you want to let me know in the comments, if you have questions, let me know. So see you next time.