Forgot your password?
typodupeerror
Security IT

The Rise of Polymorphic Malware 202

Posted by Unknown Lamer
from the dot-zip-dot-pdf-dot-virtual-exception dept.
twoheadedboy writes "The level of aggressive, polymorphic malware intercepted by Symantec doubled in July, when compared to figures from six months ago. This kind of malware has been typically found inside an executable within an attached ZIP file disguised as a PDF file, and is pretty darn good at getting around traditional anti-virus products. 'There are powerful Darwinian forces acting on the development of malware by criminals,' said Martin Lee, senior software engineer at Symantec. 'Those who look to innovate and improve their malware tend to infect more computers and acquire the resources to reinvest in further development and innovation.'"
This discussion has been archived. No new comments can be posted.

The Rise of Polymorphic Malware

Comments Filter:
  • by mehrotra.akash (1539473) on Tuesday July 26, 2011 @01:12PM (#36885822)

    Virus writers discover OOP??

  • It still blows my mind that people open attachments from individuals they do not know. Despite years of computer virus education and the general public becoming "aware" of tainted files and links, people still do it. They'll put "the club" on their car parked at a Walmart in the middle of no where, but open up random attachments and video links to spiders under the skin from people they don't know. Amazing.
    • by fuzzyfuzzyfungus (1223518) on Tuesday July 26, 2011 @01:21PM (#36885946) Journal
      Given the frequency with which a cracked webmail account or compromised PC with an email client will immediately start spamming its former owner's entire address book, expecting the "people you know" rule to save you is fairly naive...
      • by Hatta (162192)

        The rule is, never open an attachment you weren't expecting. If you weren't notified in advance by a trusted party of the attachments impending arrival, assume it is malware.

        • If everyone did start doing this (they won't; those who'd open anything without thinking will want to send the latest lolcat thing NOW) then the spammers just modify the emailer script to send a "Hi [firstname], expect a Powerpoint from me shortly", and then send the malware in the next email to them, with a couple minutes' delay to simulate an actual person attaching a document and sending it.

    • by oneiros27 (46144)

      My ISP e-mailed me 'my invoice' as an attachment last week, when they had previously sent a summary in text, and a link to their site to view the invoice.

      I e-mailed and told them that I wouldn't open attachments from them, and I wanted the plain, boring, text summary ... and I get a response back about how the invoice has always been PDF, and they closed the ticket.

      So, anyone know of any good ISPs in the Maryland/DC area? (and Verizon and Comcast don't qualify as 'good' in my opinion).

    • by Culture20 (968837)

      It still blows my mind that people open attachments from individuals they do not know.

      "But Culture20, the email came from you, and you're our systems administrator."
      "Did it contain my gpg/pgp signature?"
      "What?"
      "That gobbledygook at the beginning and end of all my emails that you apparently don't pay attention to."

      Malware spreaders using people's address books stand a good chance of faking an email from someone the target knows and trusts. Users are still surprised that identities can be faked in an email.

    • by Grishnakh (216268) on Tuesday July 26, 2011 @01:42PM (#36886180)

      While "the club" really isn't very effective as an anti-theft device, wanting to protect your car from theft at a Walmart is actually pretty sensible, as that's an extremely likely place for it to be stolen. And there's no such thing as a Walmart "in the middle of no where": Walmart always locates stores in locations where there's plenty of customers. Even if that's some small town, it's the nexus for a large number of customers from surrounding areas and towns, so just putting the Walmart there will draw lots of people to that place, and consequently it is no longer "the middle of no where", it's actually a giant gathering place.

      Here's a better anecdote: a couple months ago, I visited a place called Arcosanti, north of Phoenix in Arizona. It's a strange little artists' community built by an architect named Paolo Soleri, who has dreams of a Utopian city where everyone lives together in harmony in shared buildings (i.e., there's no separate houses, everyone has a small apartment, that kind of thing). His dreams are much bigger than the reality, which is a small community of people who've basically given up their normal lives to come live with him and, as they get enough money for concrete, build more of his vision. They basically live off selling some weird wind chimes they make there, and tour fees. Anyway, my wife and I went up there to check it out and take the tour, as it's a cool idea although not that realistic, and there were only two other visitors, one single woman and one older couple. This older couple pulled up into the parking lot right after us and parked next to us, and what did the man do when he stopped? He got out The Club and put it on his steering wheel! Now, keep in mind (take a look at Arcosanti on a map if you want), this place really IS "in the middle of no where": it's in Arizona's high desert, about 2 miles down a gravel road from the nearest civilization, which is nothing more than a couple of gas stations at an interstate exit, about 3 miles from a tiny development called Cordes Lakes, and about 20 miles from the nearest real town called Camp Verde. There really is nothing there, except some funny-looking concrete buildings with a few dozen residents, and it's probably the safest place for your vehicle to be in the whole state. The idea of needing additional vehicle security in such a place is laughable. Car thieves don't go out to remote destinations to steal peoples' vehicles, they go to population centers (i.e., cities), and crowded locations in those population centers such as shopping center parking lots, apartment parking lots, etc.

      • We learn to put on the club out of habit so that when we do go to Walmart our car is left alone. Sometimes it's a good idea not to interrupt automatic processes with rational thought... believe it or not.

        Always wanted to go to Arcosanti...

        • by Grishnakh (216268)

          A few seconds with a hacksaw and your Club is rendered useless. Get an alarm that disables the ignition and stop wasting your time with something that doesn't work.

          • Hacksaw? Wouldn't any car thief worth their salt use a dremel or other battery operated cutting tool by now?
            • by Grishnakh (216268)

              Well yes. The best option is a battery-powered reciprocating saw with a general-purpose demolition blade.

      • In fairness to the person using the club, it only takes a couple of seconds to put it on, and routines tend to be all-or-nothing: if you look around and try to assess whether your current surroundings justify using the club, you're likely to fall out of the habit of using it at all.

        I've been wanting to visit Arcosanti, by the way. It sounds like a crazy utopian scheme, but with something to it. I've wondered if Soleri was an influence on the design of the Marine Towers in Chicago.

      • Since you're in the middle of nowhere, the cost of losing your car is ever so much greater. Therefore, it makes sense to protect your car. Cost/benefit.

    • by jdgeorge (18767) on Tuesday July 26, 2011 @01:43PM (#36886190)

      Isn't the problem that the application that renders the PDF/Flash/etc attachment has access to resources on the system that shouldn't be allowed?

      In other words, why aren't all attachments files rendered by applications running in a "jail"?

      • The only real need for sandboxing is for executable content. The data itself is harmless. Rendering it is not an issue. But you're absolutely right, sandboxing is necessary whenever an application might treat stray content as instructions ordering the application to perform some potentially unsafe action. Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.

        It's ironic therefore that
        • Java bytecode is a good example, and consequently the Java Virtual Machine is sandboxed. But JavaScript, PDF, and Flash are other good examples, and they're not sandboxed.

          Nope. Java code running in the VM is sandboxed, but usually the VM itself is not. Similarly JavaScript code running in a web browser or PDF viewer, or ActionScript in the Flash plugin are sandboxed, but the applications running them are not. Java and Flash's sandboxes are not enforced by the OS (beyond normal process isolation), so they are no stronger than the applications themselves. These are large and complicated programs, which must be bug free in order for the sandbox to be secure. This is the sa

        • On a von-Neuman machine instructions *are* data, and vice versa.

          Sandbox everything.
    • by thsths (31372)

      I think they real question is why in 2011, there is still no way to open an attachment without risking the security of your system. Attachments were invented in 1990, and yet they still don't work as they should. I think this says more about the state of the software industry than about people.

  • by tripleevenfall (1990004) on Tuesday July 26, 2011 @01:22PM (#36885958)

    "powerful Darwinian forces" is an interesting way to describe the process by which the designers of these viruses are using progressively more intelligent designs.

    • by Chemisor (97276)

      Which brings up an even more interesting question: were humans designed by God or malware hackers? Or are we God's malware?

      • What I gather from the Christian Bible is that humans were designed by God (created in his image) but has had malware implanted by a hacker named Satan. God's son had to die to pay the ransom for the self-destruct code [wikipedia.org] for Satan's malware, and this code will be applied after the tribulation.
        • by djdanlib (732853)

          It's more like this, although it may tread into slightly blasphemous territory by being written like this:

          God has a good old time livin' it up with the angels. Then one day Lucifer, a great leader of angels, gets dissatisfied with his position and jealous and decides he wants to be like God. A whole bunch of angels follow him. God isn't pleased and decides to kick them all out of His presence.

          Meanwhile, God creates the universe and a man for companionship, and then a woman to keep the man company, in a perf

          • by PRMan (959735)
            Awesome. I love it. Can I steal this to read in a class that I teach?
    • by arth1 (260657)

      I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
      This is evolution in a nutshell.

      • by Dunbal (464142) *
        On the other hand what does this say about the evolution of computer users... it seems that there isn't any.
      • by debrain (29228)

        I find it quite fitting. It's not the most advanced or strongest of the species that survive, but those that can adapt.
        This is evolution in a nutshell

        Sir –

        I agree that evolution is present, but it is not of the Darwinian sort. The Darwinian theory of evolution is based upon natural selection, as distinguished from (even in his day) widely understood and accepted forms of artificial selection (e.g. husbandry, horticulture). Darwinian selection is controversial because it removes from the equation of evolution the guiding hand of God – Darwin posited that we "advance" not because of some divine purpose, but as a response to criteria set out in

    • What's even scarier is that those Powerful Darwinian Forces have slipped their insidious malware genes into the news reports about themselves!
  • Polymorphic Shellcode Engine Using Spectrum Analysis
    http://www.phrack.org/issues.html?issue=61&id=9 [phrack.org]
    Release date : 13/08/2003

    Naturally I'm paranoid about what AVG and Comodo have not detected since then. NOD32 didn't say anything either about my normal use, but I'm actually glad the technique is becoming a threat that AV suppliers must address.

  • Polymorphic and metamorphic malware has been around for years. They're probably seeing a rise in detections simply because of the popularity of a certain malware generation tool or something. You can read about polymorphic and metamorphic malware in a book written by a guy from Symantec that was published in 2005: http://www.amazon.com/Art-Computer-Virus-Research-Defense/dp/0321304543 [amazon.com]
    • Thank you! I thought I was the only one that knew this. I even programmed a little polymorphic program in 2004.

      I was beginning to think I had lost a great opportunity. :P

  • Polymorphic Software (Score:5, Informative)

    by Atmchicago (555403) on Tuesday July 26, 2011 @01:35PM (#36886106) Homepage
    Polymorphic Software
    Prerequisite: Industrial Base, Information Networks
    Technology: Advanced Subatomic Theory, Optical Computers, Adaptive Doctrine
    Special Ability: Heavy Artillery
    Improves Probe Team success rate.
    Track and Level: Discover 2
    "Technological advance is an inherently iterative process. One does not simply take sand from the beach and produce a Dataprobe. We use crude tools to fashion better tools, and then our better tools to fashion more precise tools, and so on. Each minor refinement is a step in the process, and all of the steps must be taken."
    -- Chairman Sheng-ji Yang,
    "Looking God in the Eye"
  • I think a lot of our problems come from these 3rd party packages that have grown WAY too complex and provide too many vulnerabilities. Why, for example, should the PDF format permit -anything executable or coded-, whether it's JavaScript or ZIP files? It's time in my view for the developer and system integrator community to simplify; let's get back to the idea of tools and programs that have well-defined scope and do a few things well, rather than turning into Yet Another Vendor Platform that can be used to distribute viruses/trojans/malware/crapware/etc.

  • by pathological liar (659969) on Tuesday July 26, 2011 @01:41PM (#36886162)

    Whale [wikipedia.org] is more than 20 years old now, and it was polymorphic. An issue of 40hex from 1993 [textfiles.com] provides source for a polymorphic engine. This isn't a new development, the technique was "mastered" 20 years ago :P

    Maybe they've seen a recent spike in it, but... who cares? Well, unless it means they'll put a little more thought into AV than signature-based bullshit. "heuristics"-based detection that isn't a complete joke, for a start.

  • by Doc Ruby (173196) on Tuesday July 26, 2011 @01:42PM (#36886176) Homepage Journal

    I'd like to see the OS, especially one like Android in the hands of unsupported, naive, and promiscuous users, require permissions for InterProcess Communication the it does for files. And for DB access. All strongly typed. Those kinds of familiar patterns in combination, upon every access between processes on objects. Mediated by an OS capable of supporting the user and using a support Internet to warn others when threats (or patterns that represent threats) appear to correlate to risky objects of the same kind.

    The OS and Internet should act as an integrated immune system bathing our objects, not just a special case intervention when opening the first file from an email. Dedicate one or two cores of these multicore CPUs (and prefilter at servers for smaller/mobile devices). Attacks are now the norm, not the exception. The network and OS infrastructure design should recognize the new reality.

    • by gl4ss (559668)

      oh you want symbian? you want to go insane developing applications someone could actually use for it too? I mean, I even went and bought a book for it, a highly recommended one. you know what it said about IPC? that't it's too fucking complicated to go into in the book as thick as harry potters.

      and for the record android asks for permission (install time, but anyways) for just about anything. you know what's wrong with it? you can't know what the app will actually do with those permissions -

      • by Doc Ruby (173196)

        I don't want Symbian, but I do want the kind of IPC I described. I don't want it to be insanely complex, nor need it be - which I guess is one reason I don't want Symbian.

        Actually Android's permissioning sounds similar to what I want, but not quite good enough. I'll have to look into it. Install time is the time to ask for permission to IPC to other apps/processes, but the GUI should describe it by service role rather than app/data, because users can make sense of roles rather than the techical implementati

    • by EdIII (1114411)

      What fucking planet are you from dude? :)

      That's an extremely logical and well thought out plan for a system design for non-humans.

      A computer can warn a human of all the threats in the world. However, if there is a promise of a fuzzy kitten doing something cute, or a fuzzy kitten in between a pair a nice tits, all the warnings are useless.

      If I had a nickle for every time somebody I know said they clicked on the link anyways because of the promised content I would be retired on an island.

      I think the better i

  • by sl4shd0rk (755837) on Tuesday July 26, 2011 @01:44PM (#36886202)

    Several reasons why Antivirus is a fail:
        1) 0-day. Your AV will never pick it up
        2) polymorphism - if the virus sig changes, you're hosed
        3) People think: "Since I have AV, I can't get infected"
        4) People think: "AV didn't find anything wrong, so I must be clean"
        5) When AV doesn't work, people assume it's broken

    Antivirus has evolved into a "solution" when it's clearly not capable. How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

    What's needed: OSs need to plug their holes. Browsers could be fixed so it doesn't hand off malicious content to system executables. The OS itself should be trimmed down so not everyone is running SMB/RPC (or other commonly exploited services) by default. Executables which handle web contect could be sandboxed and run by a lower privilege user (this can be done in Unix, so why not windows?). Why do these things not happen?

    AV is great when it works but it's proving not to be enough.

    • by twocows (1216842)
      Follow the money. Who stands to profit from a market of security vulnerabilities? I can tell you, Symantec sure isn't hurting for cash right now.
      • Symantec and the AV industry is actually fueled by fear. Every real threat costs them money. Those are jobs that need actual work to overcome. Or at least enough to placate their customers. False threats, scaremongering, and the general fear of malware is what makes money in the AV industry.
    • by Caerdwyn (829058) on Tuesday July 26, 2011 @02:15PM (#36886548) Journal

      The first polymorphic file-infecting virus that saw wide dispersion was DAV (Dark Avenger), back in 1991. It was detected just fine.

      Not all virus detection is performed via signature-checking. In the case of Dark Avenger, McAfee used curve-fitting. A histogram of the frequency of various byte values in specific locations within an executable file was generated, and a frequency-distribution curve generated from that. This curve was compared to the curves of legitimate executables and to what the DAV virus tended to create as it altered the files it infected. How well the curves matched, and where any anomalies in otherwise-perfectly-matching curves were, became the basis of determining confidence that there was a"hit". This technique proved to be extremely accurate, moreso than string-matching. While false-negative (failed detection) and false-positive rates were never perfect, they were in the "many 9's" of accuracy. In many cases, this heuristic was more accurate against DAV than string-matching was against other non-polymorphic viruses

      Point 1 is incorrect. Heuristics will often pick up a 0-day virus, as will behavior-based (anomaly detection) systems. String-based virus detection is only a part of modern antivirus products.
      Point 2 is incorrect, and has been for 20 years. Polymorphism is no more a perfect virus cloaking mechanism than antivirus software is perfect malware defense.
      Points 3 and 4... no antivirus software will ever stop infection if the user explicitly grants permission for something to run. There is no functional difference between malware and legitimate software; everything that malware does (from a functional perspective) is something that some piece of legitimate software or another can do. Malware is defined by deception, not function. Antivirus software does not detect deception, nor should it be expected to.
      Point 5... yeah. People expect magic bullets. People demand perfection for free. People can go fuck themselves and their slimy little tort lawyers.

      And... stack-based exploits are not viruses. Antivirus software is not intended to defend against such attacks.

      But yes, all applications should run in their own sandboxes, memory-wise, file-system-wise, privilege-wise. This isn't a perfect defense either, as the software which attempts to enforce the sandbox is itself subject to attack. And there are many components of a system which are user-installed but are not sandboxed (device drivers, maintenance utilities). As long as operating systems and applications are architected as they are, there will be vulnerabilities which are deception-based. The only defenses there are education and reputation.

    • Sigh (Score:5, Insightful)

      by Sycraft-fu (314770) on Tuesday July 26, 2011 @02:24PM (#36886646)

      I get real tired of this one. This naive geek idea that OSes can be made perfect and somehow immune to viruses. News flash: They can't, at least not if you wish to keep the ability to run arbitrary code. The only way to make an OS safe against viruses is the Apple "walled garden" idea where only authorized apps run. Even then, you could potentially sneak something by the authority that says if apps are ok. However so long as you can run arbitrary code, you can run evil code. There is no evil bit, the computer will execute anything it is given.

      Please remember when talking about malware as opposed to worms you are talking about stuff that comes in to the computer through user action. It is bundled with an application, or is an app all by itself. The user downloads and runs it. There is no patching against that.

      Also you have the silly idea of "if something isn't 100% effective it shouldn't be used." Bullshit. Look at security in the real world some day, where there is no such thing, ever, as perfect security. You get used to the concept that everything is fallible and you need defense in depth. Virus scanners help provide that defense in depth. They scan incoming things for known threats (by the way good ones are updated more than once a day). It is not your only line of defense, but one of them.

      Run a virus scanner, and run as a deprivledged user, and patch your OS, and make sure to get software from trusted sources, and monitor your system, and so on. Don't have a defense, have layers. Only then do you have a real security solution.

      PS, web executables can be sandboxed on Windows, IE does this, other browsers just don't care to use the interface to do so.

    • by Jeng (926980)

      How many infected windows installs have you found where Norton took a head-shot, or some kind of AV *was* installed at one time but got smoked?

      Normally it is because the AV subscription hasn't been paid up. I don't think I have seen an infection on a computer with a working anti-virus.

      Then again if you are basing this on Norton, well yea then All AV's are crap if you only judge it by Norton, they may have name recognition, but that is about all.

    • by robbo (4388)

      Best clean-up I ever did was a Norton install done by my father-in-law's 'computer guy', complete with trojan masquerading as a key generator.

    • by djdanlib (732853)

      You hit the nail almost on the head. I work in IT, and I see a lot of dumb stuff happen because people trust their computers to magically keep them safe.

      AV software usually has features that plug some of the holes - like blocking IRC communication, or preventing execution of attachments, or things in temp folders, or things on network shares. You have to configure it right. That's not a skill most users are going to have, unfortunately. The overhead of doing all this can be pretty intense sometimes, too, wh

    • by Cruciform (42896)

      There was a guy in one place where I worked who would constantly click on shit he shouldn't have, and so a lot of time was spent helping him out. He got infected by one trojan that had a chopped-up payload, so when you got rid of the main program it would just piece it together from bits scattered over the drive, registry entries, etc. on reboot.
      Someone in the office probably gave it to him. It was insidious.

  • There have been polymorphic viruses since the dawn of time. I even wrote one in 2004. Why is this news?
  • One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

    For some reason, this is reminding me of the Turing Halting Problem.

    And even trying to practice safe web surfing habits isn't always effective. I have seen a virus get onto a work computer that was behind the company's firewall, where the user did not install any software at all, used mozilla for 100% of his b

    • by arth1 (260657)

      One has to wonder, as viruses get more sophisticated and are able to obfuscate their own signatures, what methods are going to be utilized in the future to detect them... because I can't see it.

      I wrote the first heuristic AV program back in the late 80s, which would not just look at signatures, but what the code actually did and whether THAT posed a risk. A mini disassembler and risk analysis tool, if you like.
      Unfortunately, it requires that the user doesn't blindly trust the AV software, but makes decisions too. Perhaps there's a good reason why a program would patch an IO vector, and the AV software can not know this for certain. But it can point it out.

      AV software can also patch an OS to mak

  • [grammar_nazi_mode=ON]

    This may win me the pedant of the year award, but the summary says "The level ... doubled in July, when compared to figures from six months ago." This is incorrect and doesn't even make sense. Reading the original article reveals the truth. The level doubled in the six months leading up to July. I suppose it's theoretically possible that the level stayed perfectly flat for 5 months, then suddenly doubled, but I think the article would have mentioned that.

    [grammar_nazi_mode=OFF]

  • And the 1260 [wikipedia.org] virus.

    The 'methods' of encryption have changed (once was ZIP, now ZIP AND PDF, requiring a PDF reader in addition to ZIP libraries), but the concept isn't new, and I;m surprised has not been in continuous use since then.

    And this passes as either new or unusual for /.? Doubling the deteciton volume for a month? July? And July isn't even over yet?

    So was it the word 'darwinian' that justified this as interesting?

    feh.

  • by Nyall (646782)

    I've been wondering about this for 13 years now (when I started learning z80 and 68k assembly) if antivirus software was smart enough to analyze for things like:

    jmp lbl_1 .ds 50 /* declare 50 bytes of storage */
    lbl_1:

    And those 50 bytes are filled in with random patterns. But this article makes it sound like there are multiple jumps that are being generated which I've also considered. Or dummy for loops.

    I'm surprised virus writers are only starting to do this. Any assembly coder worth his salt sho

    • by Nyall (646782)

      Sorry there should be a carriage return between the the "jmp lbl_1" and the ".ds 50"

    • by Arker (91948)

      Competent malware authors have been doing this for many years.

      The news is the techniques are becoming more common even amongst the level that produces stuff Symantec can actually catch.

  • MS-DOS had polymorphic viruses in the early '90s.

  • Then these must affect OS X.....

    I suppose we should be thankful he didn't go for something like:

    These Darwinian forces are causing an acceleration of Moore's Law in the prevalence of super-intelligent malware.

    sigh.

  • If you're wondering what they're talking about you should watch this video. http://www.youtube.com/watch?v=54XYqsf4JEY [youtube.com]

    For a demo, see the 38:00 mark. The windows "calc.exe" is modified to simultaneously a valid windows exe, a valid zip archive, and a valid PDF. The same file can appear benign to anti-virus tools even though there is malware contained in the file when interpreted in certain ways.

    -molo

  • Between the spam and viruses, perhaps the time has come for some sort of digital postage? Its been discussed and shot down before but its reached a point where the ongoing costs of fighting spam, viruses and malware are outpacing previously proposed pricing for emails. It just seems ridiculous that I end up spending so much time and effort with my clients just trying to keep up with idiots who want to fuck up peoples computers and dealing with the ignorant (who admittedly shouldn't have to know all about

  • you can uninstall it, delete it, manually remove it from the registry, use specialized tools, and even beg for the authors to provide help , but BAM there is a fucking windows installer asking you to insert the disk every time you fart

Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte

Working...