pixel_dreams - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can malicious software wrapping be avoided?

Malware authors are adopting software wrapping to hide malicious code and avoid detection. Expert Nick Lewis explains how to defend against the threat.

I've read that malware can use a technique called software wrapping to avoid detection. How does malware wrapping work? Are there any effective ways to detect wrapped malware?

Malware authors have quickly learned how traditional signature-based antimalware tools detect malware and have thus adapted their malware attacks to avoid detection by the specific signature. Authors have also learned they need quick and easy malware distribution methods to be able to infect as many computers as possible in as little time as possible.

One common way to change the signature on a piece of malware is to include NOP-sleds in the code to change the checksums on the files, but this is fairly easy to identify. However, including a legitimate file along with the malware makes it much more difficult to detect than making trivial changes to the code.

Such malware "wrapped" with a legitimate file is configured so that once executed, it extracts or installs the legitimate file along with installing the malware -- this is similar to how the legitimate InstallShield software is used to install software, so there are in fact legitimate uses of software wrapping.

More recently, malware authors have found they can use cracked or pirated copies of popular software in place of legitimate files to malware wrapping and can distribute it via peer-to-peer networking or unsavory websites.

Standard antimalware tools can detect wrapped malware if the signature is sophisticated enough to only identify the malicious part of the application. Otherwise, it could be detected by monitoring the behavior of the application.

To prevent falling victim to malware attacks that use malicious software wrapping, enterprises should only install software from trusted sources and should validate checksums or signatures on the files to reduce the risk from malware being included in legitimate files.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how advanced malware detection is critical to enterprise defense

Find out why DLL preloading makes malware detection difficult

Read why malware detection is harder than ever

This was last published in October 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal