All malware is not the same

Opinion by Dan Raywood

As we talk about new variants of major malware 'families', it dawned on me that the more general malware was getting to be more sophisticated.

As we talk about new variants of major malware 'families', it dawned on me that the more general malware was getting to be more sophisticated.

Perhaps not as sophisticated as the likes of Stuxnet and Duqu, but as recent news about a new variant of Zeus revealed, malware is being redeveloped to bypass anti-virus traps to make it even more sophisticated and even ‘polymorphic'.

In conversation with Fraser Howard, a principal virus researcher at SophosLabs recently, he said that rather than losing the battle against malware writers, anti-virus is "making it harder for them as they have to work harder to get past our filters".

He said: “People within an organisation are now targeted (such as with the RSA incident). In detection, there is a strong element of reputation and knowing where the file is coming from is a good way of using the file, and it can be a strong indicator that it is malicious, so you look at the layer and the content of the file.

“But reputation is not enough on its own, you can do just that but when a new file appears, you have to be able to look at it as you cannot blacklist everything and if you do not, it is often too late for those who have been infected.”

The Symantec Intelligence report for July 2011 said that there was an aggressive approach to distributing generic polymorphic malware via executable files within an attached ZIP file that was often disguised as a PDF file or an Office document. In its September 2011 report, it classified 72 per cent of all malicious email-borne malware as aggressive, generic polymorphic malware.

Paul Wood, senior intelligence analyst at, said most recent attacks were email-based with attachments that were disguised with "some interesting social engineering" and that the malware had become so sophisticated that it was able to defeat sandboxing, with the start-up code changed in every version, subtly changing the structure to make it harder for emulators to identify it as malicious.

Like Howard, he said that anti-virus technology must take into account the integrity of the executable based on knowledge of its reputation and distribution in the wild, and that it cannot rely solely on heuristics and signatures to defend against attacks.

I spoke to Luis Corrons, technical director of PandaLabs, who described polymorphic technology as an "old friend" that was a pain for any anti-virus company.

He said: “However, it depends on the kind of malware. A polymorphic virus has been used for a long time and creating detection and disinfection signatures for this kind of virus is something that can take a long time.

“It depends on the complexity of the virus, for some of them it can be even a matter of more than a week. On the optimistic side we can say that usually these types of infections change the original file enough to make it suspicious for the heuristic engine of the anti-virus. Also, the way they behave (infecting clean files) makes it trivial for behaviour analysis to detect them.”

Talking about polymorphic malware, he said that this is something that it sees on a daily basis and it is mainly seen with Trojans and fake anti-virus.

“It makes them harder to detect by signatures, but generally it is easier than with a virus. Again, the behaviour-blocking technologies usually work really good and they don't care if the Trojan is polymorphic, but the actions it performs in the system, and these are similar; it doesn't matter if the Trojan is polymorphic or not.”

Eddy Willems, security evangelist at G Data Security Labs said most polymorphic malware can be stopped by generic signatures which can be optimised and tuned for purpose.

“As a lot of malware is using polymorphic techniques these days, all products need to be good at it but this seems to not always be the case. As G Data combines two engines in an intelligent way, our detection and blocking is quite high,” he said.

He recommended technologies include optimised behaviour blockers, file and web cloud-based techniques and new technologies that block the way some polymorphic malware works.

“For instance, by safeguarding the necessary libraries inside the OS, an example of this proactive technique is called 'BankGuard' in our products and this is able to block all Man-in-the-Browser attacks mainly seen by online-banking Trojans, but also used in other malware,” he said.

Wade Williamson, security analyst at Palo Alto Networks, said that to efficiently defend against something which is "shape shifting", you need to have something at the network edge in order to know what is hitting the network without having to analyse each file.

He said: “Polymorphic is getting more popular, we call it 'server-side polymorphism'. It is coming from email and infected websites. It is standard delivery but the way it is coded means it looks different. Each time we look for a file it will be re-coded differently, but with the malware and with the packaging appearing to be different.

“This trend will define malware, packaging and encoding as it is like high-grade encryption. You need to figure out the packaging, which is difficult as it is not something that is known. When it is server side it will unwrap a certain way once it is downloaded.”

What this trend proves is that advanced evasion is stepping up in its sophistication and it requires more than a spam trap or decent web filter. Security vendors will tell you that their solution will solve the problems, but what I think is learned here are some key ways to keep up with the challenge.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events