Can regional banking Trojans hide from signature-based antivirus?
I've read that region-focused banking Trojans are less likely to be discovered by antimalware programs. Why is that?
Region-focused malware exploits one of the most significant limitations of traditional signature-based antimalware software, and these banking Trojans
, or customized malware, are just one type of malware that is exploiting this limitation. The limitation is that malware traditionally must be analyzed and signatures created in order for detection to take place. Customized malware has traditionally been the most difficult to detect because the signature for the malware is constantly changing to target specific regions or specific banks, or because of the small number of websites the malware covers is not being reported to antimalware vendors at all. Targeting a new bank may not fundamentally alter the malware if the malware is modular, but if a new type of attack or significant change is made to the malware, this can impact how easily it can be detected by signature-based antivirus
This limitation in detecting new, customized or targeted malware may be changing though, as antimalware software is including more behavioral-detection capabilities in its core functionality. Antimalware has included heuristic functionality for many years, but the recent advancements in behavioral detections are a significant improvement over heuristic detection. The behavioral detections can be more generic than traditional signatures because the antimalware software can find malicious behavior -- such as programs accessing saved passwords or sending passwords to an external website -- and then potentially block it or detect as malicious the file(s) being used by the malware to access passwords and quarantine them.
This was first published in July 2010