Polymorphic viruses call for new antimalware defenses

Listen to this week's Threat Monitor Download this polymorphic viruses tip to your PC or favorite MP3 player.

Polymorphic code is actually a pretty simple idea, but a nasty one. Think of the word "polymorphic" in its piece parts: "poly" means "many," and "morphic" means "form." So, polymorphic refers to two or more pieces of code that have exactly the same functionality, but different code.

Two snippets of code could do exactly the same thing when they run, for example, but they might have entirely different sets of instructions. These pieces are "polymorphs" of each other.

Why would someone implement such code? To dodge strict signature-based detection, a major function of most antivirus and antispyware tools today.

Strict signature detection technologies match an exact sequence of bits on the hard drive or in memory. By self-morphing for each newly infected system, polymorphic code can create a new version that dodges the latest signatures. And, taken to the extreme, code could morph whenever it runs, each time creating a new version of itself that still performs the same function.

But, here's the good news. Most major antivirus tools today employ heuristic checks. Think of these like "fuzzy" signatures; instead of matching the exact contents of a file in the file system or in memory, heuristic technologies only require certain crucial piece parts of code to match. And, because the bad guys so frequently utilize key parts of their old code when creating new evil specimens, the heuristics catch a lot of the nastiness. There are often still enough patterns left even in polymorphic code for an antivirus tool to detect it.

For more information on viruses Learn about Warezov and its many variations. Defend your mobile devices from viruses and other malware. Get the latest malware news and expert advice in our SearchSecurity.com resource center. Have information security threat questions? Submit them to Ed Skoudis.

So what preventative measures can you take? Make sure you have up-to-date antivirus and antispyware signatures and that you are using an AV/spyware tool that supports heuristics. Most of the antivirus tools have this type of functionality, but not all of the antispyware tools do. Check with your vendor if you really want to know for sure.

As always though, things are in flux. The bad guys are starting to experiment with radically polymorphic code that thwarts heuristic controls by removing as many patterns from the original code as possible. The vendors, in turn, are working to improve the intelligence of their heuristics. Other antimalware vendors are starting to move toward behavior-based detection. Such techniques monitor the behavior of malware rather than look for any pattern in the actual code. If a piece of malware, for example, alters some critical files, the antimalware product can detect such behavior and kill the infection.

I happen to like a blend of both heuristic and behavior-based defenses myself, but be aware that some vendors are devoted to one side or the other.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.