Subscribe
About

The case for proactive protection

Creators of malicious code are not necessarily good programmers.
Jeremy Matthews
By Jeremy Matthews, Head of Panda Security's African operations.
Johannesburg, 24 Apr 2008

The IT world is full of myths and legends circulated via e-mail or simply spread by word-of-mouth. These legends are not necessarily infamous hoaxes or chain letters, but are rather sustained on gullibility - making the assumption that certain things are true, when they usually aren't.

These strange myths also exist in the IT security world. One of them, in particular, is being increasingly refuted: that creators of malicious code are good programmers. Some time ago, when viruses were in their prehistoric era, this was true.

For a program to multiply automatically, without users realising or archaic security programs detecting it, a good programmer's keystrokes were once a prerequisite. Programmers needed a wide knowledge of systems, the options these systems offered and a huge capacity to innovate.

However, nowadays, these programmers are no longer the "stars" of IT coding. Malicious codes are becoming coarser, less innovative, and sloppier.

The Gaobot.AAF case

The statement that creators of malicious code are poor programmers (or at least not as good as we think) is not unfounded, as there are methods for scanning programs to see how they were built.

One of them, which is widely used for its visual results, offers graphic representation of the components of a program. These graphs are lines that relate to each sub-routine of the code, so that a simple and well-built program would return a simple and clear graph. However, a program without any internal organisation and without adequate systemisation would offer an extremely complex and disorganised graph.

Malicious codes are becoming coarser, less innovative, and sloppier.

Jeremy Matthews is head of Panda Security's sub-Saharan operations.

Two similar programs would offer similar graphs. PandaLabs, Panda Security's malware detection laboratory, has used them to establish the similarities between different variants of a malicious code. It has done this because calls to the same function in different programs are shown graphically.

When PandaLabs analysed Gaobot.AAF, a bot, it was surprised with the result: not only because it was spectacular (it was called "Death Star" due to its resemblance with the space station from Star Wars) but for its strange complexity.

Why is this strange drawing generated? Simply because the original source code of the Gaobot family was released to malicious code writers and each one created a new variant. But these variants were not optimised and therefore each variant was more complex.

Instead of demonstrating they were good programmers, all the creators of the Gaobot variants did was prove their in-depth knowledge was a myth and that they are simple apprentice thieves who copy other crooks' code.

The "undetectable" viruses

Another widespread myth, which is fed by many misleading e-mail messages, is that there are malware samples (worms, or Trojans, etc) that no security solution can detect.

A recent news article reported that a student had created a Trojan that recorded images from his classmates' Web cams; he then blackmailed them with the recordings. It was said that the Trojan was "undetectable".

Was it really undetectable, though? After all, the authorities created a system to detect and eliminate this code.

The problem lies in the difficulty to detect a specific Trojan. The majority of manufacturers of anti-virus solutions depend on samples of malicious code to develop a detection and disinfection routine. For this to happen, two circumstances must arise:

1. The malicious code arouses suspicion from a user. If a message is not displayed, or if it does not carry out any special action on the computer that makes the user realise that something strange is happening, the system will remain infected, as a sample will not be sent to the laboratories for analysis.

2. The malicious code must have a certain rate of propagation. This increases the probability of affected users notifying the laboratories of the appearance of the code.

In the case of this Trojan, neither of the two circumstances arose. Like most Trojans, it did not show any messages or leave any clues that could give it away. Furthermore, as it was distributed to very few computers (only the hacker's classmates), it did not arouse any suspicion.

This is a prime example of the malware situation today: a plethora of reduced and well-hidden examples that anti-virus companies can't detect, as the report says (at least not until the malware sample has been discovered).

In spite of this, this problem only arises with traditional - or conventional - malicious code detection systems as these rely exclusively on data stored about malicious programs and do not incorporate any other detection systems. The logic is that anything that is not stored in its malware signature database will be considered valid.

More modern technology for combating malicious code prevents these problems because instead of clinging to previous knowledge of malicious codes, it seeks them out by analysing their behaviour. When a program tries to carry out a malicious action on a computer it will be blocked - not because it can be identified, but because of the action it was going to perform.

As long as users continue to trust in partial and outdated solutions to detect viruses and other malicious programs, they cannot adequately protect their computers as "undetectable malicious codes" will continue to exist for them - instead of simply being "dangerous programs unidentified up until now".

* Jeremy Matthews is head of Panda Security's sub-Saharan operations.

Share