pixel_dreams - Fotolia
I've read that malware can use a technique called software wrapping to avoid detection. How does malware wrapping work? Are there any effective ways to detect wrapped malware?
Malware authors have quickly learned how traditional signature-based antimalware tools detect malware and have thus adapted their malware attacks to avoid detection by the specific signature. Authors have also learned they need quick and easy malware distribution methods to be able to infect as many computers as possible in as little time as possible.
One common way to change the signature on a piece of malware is to include NOP-sleds in the code to change the checksums on the files, but this is fairly easy to identify. However, including a legitimate file along with the malware makes it much more difficult to detect than making trivial changes to the code.
Such malware "wrapped" with a legitimate file is configured so that once executed, it extracts or installs the legitimate file along with installing the malware -- this is similar to how the legitimate InstallShield software is used to install software, so there are in fact legitimate uses of software wrapping.
More recently, malware authors have found they can use cracked or pirated copies of popular software in place of legitimate files to malware wrapping and can distribute it via peer-to-peer networking or unsavory websites.
Standard antimalware tools can detect wrapped malware if the signature is sophisticated enough to only identify the malicious part of the application. Otherwise, it could be detected by monitoring the behavior of the application.
To prevent falling victim to malware attacks that use malicious software wrapping, enterprises should only install software from trusted sources and should validate checksums or signatures on the files to reduce the risk from malware being included in legitimate files.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Learn how advanced malware detection is critical to enterprise defense
Find out why DLL preloading makes malware detection difficult
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading