Mutate, fragment, hide: The new hacker mantra

Increasingly sophisticated methods employed for developing malware

Hackers working for criminal gain are using increasingly sophisticated methods to ensure that the malware they develop is hard to detect and remove from infected systems, security researchers warned at this week's Computer Security Institute (CSI) trade show in Orlando.

The most popular of these approaches involve code mutation techniques designed to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment via rootkits.

Unlike mass-mailing worms such as MS Blaster and SQL Slammer, most of today's malware programs are being designed to stick around undetected for as long as possible on infected systems, said Matthew Williamson, principal researcher at Sana Security.

The goal in developing such malware is not to simply infect as many systems as possible but to specifically steal usage information and other data from compromised systems, he said.

An increasingly popular way of attempting this is with the use of polymorphic code that constantly mutates. Many malicious hackers also now use "packers" to encrypt malware to evade detection. Some then use different routines for decrypting the code to create a virtually unlimited number of mutations, Williamson said.

One example of that was Swizzor, a Trojan download program discovered earlier this year that repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. Swizzor also recompiled itself once every hour. Code recompilation is another tack hackers have been using to subtly mutate code to get past blocking systems, Williamson said.

Many spyware programs take advantage of publicly available encryptors or packing technologies to evade detection, said Gerhard Eschelbeck, CTO at Webroot Software. If a proprietary encryption algorithm is used, it is based off a publicly available or open-source algorithm, he said.

Spyware programs also use kernel-level drivers and process blocking techniques to actively stop antispyware programs from running, Eschelbeck said.

According to Ralph Thomas, manager of malicious code operations at VeriSign's iDefense unit, modern malware programs are also designed to split themselves into several co-dependent components once installed on a system.

Each fragment or component then keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly re-spawns or reinstalls it -- making removal very hard, Thomas said during a CSI presentation.

One early example of such malware was WinTools, which has been around since 2004 and installs a toolbar, along with three separate components, on infected systems. Attempts to remove any part of the malware cause the other parts to simply replace the deleted files and restart them.

The fragmented nature of such code makes it harder to write removal scripts and to know if all malicious code has actually been removed, Williamson said.

Complicating matters is the growing use of rootkits to conceal malicious code on infected systems, he said. Rootkits can be installed at the operating system level or as kernel-level modules and are used to hide malicious code and processes from malware detection tools, Williamson said.

A malicious program named Haxdoor -- a variant of which was used to steal information from 8,500 computers in 60 countries in October -- is one example. Haxdoor was used to steal passwords, keystroke information and screen shots from computers it had infected and send them to a remote server.

It was also used to disable system firewalls and concealed itself in a rootkit on the infected machines.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?