Mutate, fragment, hide: The new hacker mantra

Increasingly sophisticated methods employed for developing malware

Hackers working for criminal gain are using increasingly sophisticated methods to ensure that the malware they develop is hard to detect and remove from infected systems, security researchers warned at this week's Computer Security Institute (CSI) trade show in Orlando.

The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment via rootkits.

Unlike mass-mailing worms such as MS Blaster and SQL Slammer, most of today's malware programs are being designed to stick around undetected for as long as possible on infected systems, said Matthew Williamson, principal researcher at Sana Security.

The goal in developing such malware is not to simply infect as many systems as possible but to specifically steal usage information and other data from compromised systems, he said.

An increasingly popular way of attempting this is with the use of polymorphic code that constantly mutates. Many malicious hackers also now use "packers" to encrypt malware to evade detection. Some then use different routines for decrypting the code to create a virtually unlimited number of mutations, Williamson said.

One example of that was Swizzor, a Trojan download program discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour. Code recompilation is another tack hackers have been using to subtly mutate code to get past blocking systems, Williamson said.

Many spyware programs take advantage of publicly available encryptors or packing technologies to evade detection, said Gerhard Eschelbeck, CTO at Webroot Software. If a proprietary encryption algorithm is used, it is based off a publicly available or open-source algorithm, he said.

Spyware programs also use kernel-level drivers and process blocking techniques to actively stop antispyware programs from running, Eschelbeck said.

According to Ralph Thomas, manager of malicious code operations at VeriSign's iDefense unit, modern malware programs are also designed to split themselves into several co-dependent components once installed on a system.

Each fragment or component then keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly re-spawns or reinstalls it -- making removal very hard, Thomas said during a CSI presentation.

One early example of such malware was WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them.

The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.

Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.

A malicious program named Haxdoor -- a variant of which was used to steal information from 8,500 computers in 60 countries in October -- is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.

It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?