Mutate, fragment, hide: The new hacker mantra

Increasingly sophisticated methods employed for developing malware

Hackers working for criminal gain are using increasingly sophisticated methods to ensure that the malware they develop is hard to detect and remove from infected systems, security researchers warned at this week's Computer Security Institute (CSI) trade show in Orlando.

The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment via rootkits.

Unlike mass-mailing worms such as MS Blaster and SQL Slammer, most of today's malware programs are being designed to stick around undetected for as long as possible on infected systems, said Matthew Williamson, principal researcher at Sana Security.

The goal in developing such malware is not to simply infect as many systems as possible but to specifically steal usage information and other data from compromised systems, he said.

An increasingly popular way of attempting this is with the use of polymorphic code that constantly mutates. Many malicious hackers also now use "packers" to encrypt malware to evade detection. Some then use different routines for decrypting the code to create a virtually unlimited number of mutations, Williamson said.

One example of that was Swizzor, a Trojan download program discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour. Code recompilation is another tack hackers have been using to subtly mutate code to get past blocking systems, Williamson said.

Many spyware programs take advantage of publicly available encryptors or packing technologies to evade detection, said Gerhard Eschelbeck, CTO at Webroot Software. If a proprietary encryption algorithm is used, it is based off a publicly available or open-source algorithm, he said.

Spyware programs also use kernel-level drivers and process blocking techniques to actively stop antispyware programs from running, Eschelbeck said.

According to Ralph Thomas, manager of malicious code operations at VeriSign's iDefense unit, modern malware programs are also designed to split themselves into several co-dependent components once installed on a system.

Each fragment or component then keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly re-spawns or reinstalls it -- making removal very hard, Thomas said during a CSI presentation.

One early example of such malware was WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them.

The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.

Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.

A malicious program named Haxdoor -- a variant of which was used to steal information from 8,500 computers in 60 countries in October -- is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.

It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?