Attackers are always looking for innovative ways to dodge antivirus software, and many malicious hackers are now creating polymorphic code to do just that. But it's not just malware writers who are raising the bar. In this tip from our Ask the Experts section, contributor Ed Skoudis explains how antimalware vendors are responding to this emerging threat.
Polymorphic code is actually a pretty simple idea, but a nasty one. Think of the word "polymorphic" in its piece parts: "poly" means "many," and "morphic" means "form." So, polymorphic refers to two or more pieces of code that have exactly the same functionality, but different code.
Two snippets of code could do exactly the same thing when they run, for example, but they might have entirely different sets of instructions. These pieces are "polymorphs" of each other.
Why would someone implement such code? To dodge strict signature-based detection, a major function of most antivirus and antispyware tools today.
Strict signature detection technologies match an exact sequence of bits on the hard drive or in memory. By self-morphing for each newly infected system, polymorphic code can create a new version that dodges the latest signatures. And, taken to the extreme, code could morph whenever it runs, each time creating a new version of itself that still performs the same function.
But, here's the good news. Most major antivirus tools today employ heuristic checks. Think of these like "fuzzy" signatures; instead of matching the exact contents of a file in the file system or in memory, heuristic technologies only require certain crucial piece parts of code to match. And, because the bad guys so frequently utilize key parts of their old code when creating new evil specimens, the heuristics catch a lot of the nastiness. There are often still enough patterns left even in polymorphic code for an antivirus tool to detect it.
So what preventative measures can you take? Make sure you have up-to-date antivirus and antispyware signatures and that you are using an AV/spyware tool that supports heuristics. Most of the antivirus tools have this type of functionality, but not all of the antispyware tools do. Check with your vendor if you really want to know for sure.
As always though, things are in flux. The bad guys are starting to experiment with radically polymorphic code that thwarts heuristic controls by removing as many patterns from the original code as possible. The vendors, in turn, are working to improve the intelligence of their heuristics. Other antimalware vendors are starting to move toward behavior-based detection. Such techniques monitor the behavior of malware rather than look for any pattern in the actual code. If a piece of malware, for example, alters some critical files, the antimalware product can detect such behavior and kill the infection.
I happen to like a blend of both heuristic and behavior-based defenses myself, but be aware that some vendors are devoted to one side or the other.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.