First published: 30th June 2007
Kaspersky Lab, has released an analytical report: 'The Evolution of Self-Defense Technologies in Malware', by Alisa Shevchenko, a senior malware analyst.
As antivirus protection has developed, virus writers have been forced to find new methods which their creations can use to protect themselves.
Malware self-defense mechanisms can fulfill one or more tasks, including hindering detection of a virus using signature-based methods; hindering analysis of the code by virus analysts; hindering detection of a malicious program in the system; hindering the functionality of security software such as antivirus programs and firewalls.
In her article Alisa Shevchenko tracks the evolution of malware self-defense techniques in the face of increasing pressure from antivirus solutions, and investigates which techniques are likely to develop further.
Until recently, antivirus solutions only analyzed file code, and due to this, the first self-defense technique seen was modification of code in malicious programs. This led to polymorphism and metamorphism, which allow a malicious program to mutate when creating a copy of itself, while retaining full functionality. Naturally, this significantly hinders detection. The article also includes an overview of other self-defense technologies such as code encryption and obfuscation; these technologies are used in order to hinder analysis of malicious code, and when implemented in specific ways can be seen as a type of polymorphism.
Another approach which can be used to hinder detection is the use of packers: dedicated programs which compress and archive files. Packers are commonly used and the variety of packing programs and their level of sophistication continue to grow. Many modern packers, in addition to compressing a source file, also equip it with additional self-defense functions aimed at hindering unpacking and analysis of the file using a debugger.
Malicious programs may also defend themselves against detection by masking their presence in the system. This approach was first used by malicious code for the DOS operating system in 1990, and is now called stealth technology. At the beginning of the new millennium, this approach evolved, resulting in so-called rootkit technologies for the Windows operating system. A large number of rootkits have mechanisms which modify a chain of system calls. Another common type of rootkit technology modifies system data. Modern rootkit technologies aim towards the virtualization and use of system functions – in other words, penetrating even more deeply into the system. Although rootkit technologies do appear to have a future, it's unlikely that they will become highly evolved or widespread in the near future.
Over time, polymorphism and related technologies became less appropriate to the task at hand. The evolution of antivirus technologies has led to signature based detection methods being squeezed out by behavioral detection methods, and as a result, modifying code is less likely to protect malicious programs from being detected. For the vast majority of today's Trojans, which are unable to self-replicate, polymorphism is not an effective means of self-defense. The appearance of behavior analyzers has caused malicious programs to target specific functions in antivirus solutions. "Of course, sometimes self-defense mechanisms are the only solution; otherwise they would not be so common, as they pose too many disadvantages from the viewpoint of maximum, full-scale defense" notes the author.
On the other hand, some techniques designed to hinder code analysis (e.g. obfuscation), continue to be regularly implemented, in contrast to polymorphism. However, the fact that malicious programs are basically powerless in the face of behavioral analysis points to a likely evolutionary path. Alisa Shevchenko believes that virus writers will learn how to make their creations more 'self-aware', enabling them to evade detection by behavior analysis.
The article concludes with a range of forecasts, including a list of which self-defense technologies are likely to evolve more actively than others:
- Rootkits are moving towards exploiting equipment functions and towards virtualization. This method, however, has not yet reached its peak and probably won’t become a major threat in the years to come, nor will it be widely used.
- Technology which blocks files on disk: there are two known proof of concept programs that have demonstrated that we can expect this area to develop in the near future.
- The use of technologies that detect security utilities and interrupt their performance is very common and widely used.
In conclusion, Alisa Shevchenko states that although there is no foreseeable end to the arms race between virus writers and antivirus companies in the near future, if all those involved make an effort, it will be possible to slow the process down.