The Evolution of Self-Defense Technologies in Malware
by Alisa Shevchenko - Virus analyst at Kaspersky Lab - Monday, 2 July 2007.
The use of polymorphism only became relatively widespread in terms of DOS file viruses. There's a reason for this. Writing polymorphic code is a highly time-consuming task that is really only justified in cases when a malicious program is self-replicating: then each new copy contains a more or less unique byte sequence. The majority of contemporary Trojans aren't able to self-replication, and polymorphism is therefore irrelevant. That’s why since the end of the DOS file virus era, polymorphism has been seen less, and it was used mostly by virus writers who wanted to show off their skills rather than to create a particularly useful malicious function.



Figure 2. The polymorphic code of P2P-Worm.Win32.Polip

In contrast, obfuscation continues to be used today, as are other code modification methods that, to a large extent, make it more difficult to analyze code as opposed to hindering detection.



Figure 3. A diagram of the obfuscated code in Trojan-Dropper.Win32.Small.ue - Click for larger version

Since behavioral detection methods arrived and began to squeeze out signature-based methods, code modification techniques have become less useful in hindering malware detection. This is why polymorphism and related technologies are not commonly used today and are only really a means for hindering the actual analysis of malicious code.

Stealth viruses

Concealing malicious programs in the system became the second method of self-defense against detection that was mastered by virus writers in the DOS era. This technique was first used in 1990; to be more precise, it was included in the arsenal of a virus we have already mentioned - Whale. Essentially, the concealed virus would one way or another intercept DOS system services and pass false data to the user or the antivirus program – for instance, "clean" boot sector contents, instead of the real contents which had been infected by the malicious program.

Stealth technologies for the DOS operating system were reborn as rootkit technologies for the Windows operating system 10 years later.

Packers

Gradually, viruses - malicious programs that can function only within a victim body and which are unable to exist as a separate file - are being replaced by Trojans, which are fully independent malicious programs. This process began when the Internet was still slow and more limited than it is today. Hard disks and floppy disks were small, which meant that the size of a program was very important. In order to reduce the size of a Trojan, virus writers began to utilize so-called packers - even back in the DOS era. Packers are dedicated programs that compress and archive files.

A side effect of using packers that can actually be useful from a malware point of view is that packed malicious programs are more difficult to detect using file methods.

When creating a new modification of an existing malicious program, the virus writer usually changes several lines of code, while leaving the heart of the program untouched. In the compiled file, the bytes for a certain sequence of code will also be altered and if the antivirus signature does not include that very sequence, then the malicious program will still be detected as before. Compressing a program with a packer solves this problem as changing even just one byte in the source executable results in an entirely new byte sequence in the packed file.



Figure 4. The visible difference between packed and unpacked code - Click for large version

Packers are still commonly used today. The variety of packing programs and their level of sophistication continue to grow. Many modern packers, in addition to compressing a source file, also equip it with additional self-defense functions aimed at hindering the unpacking and analysis of the file using a debugger.

Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //