Hackers are using increasingly sophisticated methods to ensure that the malware they develop is hard to detect and remove from infected systems, security researchers warned at this week's Computer Security Institute (CSI) trade show.
The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools, code fragmentation that makes removal harder, and code concealment via rootkits.
Unlike mass-mailing worms such as MS Blaster and SQL Slammer, most of today's malware programs are being designed to stick around undetected for as long as possible on infected systems, said Matthew Williamson, principal researcher at Sana Security.
The goal in developing such malware is not to simply infect as many systems as possible but to specifically steal usage information and other data from compromised systems, he said.
An increasingly popular way of attempting this is with the use of polymorphic code that constantly mutates. Many malicious hackers also now use "packers" to encrypt malware to evade detection. Some then use different routines for decrypting the code to create a virtually unlimited number of mutations, Williamson said.
One example of that was Swizzor, a Trojan discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour. Code recompilation is another tactic hackers have been using to subtly mutate code to get past blocking systems, Williamson said.
Many spyware programs take advantage of publicly available tools to evade detection, said Gerhard Eschelbeck, chief technology officer at Webroot. If a proprietary encryption algorithm is used, it’s based on a publicly available or open-source algorithm, he said.
Spyware programs also use kernel-level drivers and process blocking techniques to actively stop antispyware programs from running, Eschelbeck said.
According to Ralph Thomas, manager of malicious code operations at VeriSign’s iDefense unit, modern malware programs are also designed to split themselves into several co-dependent components once installed on a system.
Each fragment or component then keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly re-spawns or reinstalls it - making removal very hard, Thomas said.
One early example of such malware was WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them.
The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.
Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.
A malicious program named Haxdoor - a variant of which was used to steal information from 8,500 computers in 60 countries in October - is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.
It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines.
