Introduction The threat: modified malware frequently remains undetected. Background Dangers resutling from run-time compression and other modifications. Example Two widely-used AV scanners are outfoxed. AV Reviews Sense and non-sense of AV reviews Scanners We examine the modes of operation and detection rates of several AV & AT scanners Forum ... and you can participate

 

-- Background --

1. Signature-based scanning

Broadly speaking, in order to detect trojans and other malware AV/AT scanners search for special strings or patterns within a suspicious file and compare them with the signatures contained in the signature database of the scanner. In general, signature-based scanning has the benefit that malware can be precisely detected and removed without user interaction. A severe weakness of signature-based scanning results from the fact that, in numerous cases, malware can be easily modified so that a scanner will not detect a "match" between a signature and the modified malware sample.

2. Dangers resulting from run-time compressed or crypted malware

If a trojan is scrambled with an .exe file compressor or a crypter the patterns or strings within the trojan file are changed and differ from the original patterns/strings on which the scanner's signatures are based. In such case an AV/AT scanner does not recognize the trojan anymore.

The compression or encryption of malware does not require sophisticated skills. It's a job that takes only a few seconds. Producers of commercial software products use special tools (so-called executable file compressors/protectors, scramblers or crypters) in order to protect their products from software pirates. These tools are commonly available and sometimes even distributed as freeware. They can be downloaded, for example, from websites like "Programmer's Tools" ( http://protools.cjb.net/ ).

If you purchase an expensive AV/AT scanner you will probably expect that the software developer has worked out a solution for this well-known problem. Don't be mistaken. Frequently, this is not the case. In practice, it happens over and over again that computer users are harmed by malware although they have installed a popular AV/AT scanner and feel safe.

In particular, trojans are frequently compressed or scrambled by attackers who want to break into a computer system. But also other types of malware can be camouflaged in this manner. For instance, many AV scanners were unable to detect a compressed and crypted variant of the infamous worm "Opasoft" without creating a new signature especially for this variant of the worm (see here).

Currently, only a few developers of AV/AT scanners have the ambition (or the necessary skills) to include a so-called unpacking engine into their scanner. An unpacking engine is capable of "looking through" such compressors and crypters and therefore helps to automatically detect scrambled malware.

3. Dangers resulting from design flaws

Frequently, it is possible to camouflage malware because an AV/AT scanner suffers from serious design flaws. Attackers generally know of such design flaws and are happy to exploit them. For instance, a minor modification of a malware sample may prevent an AV/AT scanner from properly scanning the file and successfully comparing it with the signatures contained in the signature database. In such case, a scanner does not record a "match" and the malware sample remains undetected.







Last update: January 2005