About
Subscribe

Malware gets sneakier

By Leon Engelbrecht, ITWeb senior writer
Johannesburg, 19 Jun 2007

Malware is mutating again, says malware watcher PandaLabs. The anti-virus solutions vendor says 78% of malware recently exposed used file packing to evade detection.

PandaLabs SA CE Jeremy Matthews says packer programs reduce the size of an executable file, generally through compression. "However, these programs can also be used to protect copies of malicious code installed on computers, or to make it more difficult for anti-virus solutions to detect them when they are distributed."

UPX is the most common and was used in 15% of malware detected, Matthews says. PECompact and PE were used in 10% of cases. However, there are more than 500 types of packers that could be used by cyber-crooks.

"In essence, it is a stealth technique. The increasing use of these programs highlights how keen criminals are for their creations to go undetected," says Matthews. The trend amply illustrates the morphing of malware creation into a revenue-generating business, rather than the harmless thrill-seeking it typically represented a decade ago.

Matthews says cyber-criminals often combine several malicious files in a single packer. "This both hinders detection and allows a malicious code to download copies of other strains more effectively," he says.

"The problem is when to detect this malicious code. Most are packed with legal programs, and it is not possible to distinguish between 'goodware' and malware just by the packer. What is the solution? In the case of e-mails, there has to be a system to detect them before they reach the computer. solutions have to be able to detect packed malware before users execute it," confirms Matthews.

Some of the most prominent malicious codes in recent months used packers, such as the Conycspa.AJ Trojan, which downloaded several other malicious codes, the Clagge.G Trojan and the Rinbot.Q worm, which spread by exploiting several Windows vulnerabilities.

Stealth techniques

Another important and relatively unknown danger comes in the form of binders or joiners. These are programs designed to join two or more files together. These tools are used by hackers to hide their malicious creations within an apparently inoffensive file. For example, the execution of a Trojan could be combined with the viewing of a photo with a jpeg extension. When users view the photo, they will also be running the Trojan.

PandaLabs has already detected several examples that use this technique, such as some of the Trojans in the Mitglieder family (which open an image when they are run).

Another method of protecting files that contain malware is scrambling. This is a series of files, similar to packers, which can hide executable files. This technique involves encrypting the code of the malware itself. To be able to run when they reach a computer, these malicious codes have an internal decoder. The worms in the Feebs family, for example, use this technique to hide themselves.

"The most dangerous thing about this technique is the customisation. The sharpest hackers can create their own encryption codes. Malware concealed in this way will be the most difficult to detect," concludes Matthews.

All users that want to know whether their computers have been attacked by this or other malicious code, can use TotalScan (which detects one million threats) or NanoScan beta; the free, online solution.

Related stories:
Cybercrime is lucrative
Google's uber search engine
New malware trends breach defences

Share