Malicious Code Packing Ups Security Arms Race Ante

Attackers packing, or compressing, malicious code to make it more difficult to detect and analyze may have to invent a new technique to smuggle their wares inside the corporate gateway.

Encryption, compression and other code modifications are making it harder to analyze malicious code, which ultimately increases the challenge of protecting systems against malware, said Lenny Zeltser, a volunteer handler at the SANS Internet Storm Center and the information security practice leader at Gemini Systems in New York. “It seems that virtual machine detection is gaining popularity among malware authors, as part of other self-defense techniques, such as detecting the presence of a debugger and other malware analysis tools,” he said.

“At the same time, malware analysts are developing more advanced tools and techniques. It’s an arms race,” added Zeltser.

First used to smuggle viruses and worms past perimeter security defenses, and later to crash antivirus programs as “decompression bombs,” compressed file formats such as .rar and .zip have made headlines more than once and are once again being used to attack networks. (Decompression bomb is a term coined by AERAsec security consultant Peter Bieringer to identify an attack that caused many popular antivirus engines to crash when they attempted to decompress gigabytes of data and scan thousands of files for malicious code. Such attacks often resulted in a denial-of-service against applications or systems because of processing overload.)

In a recent post to the ISC Handler’s Diary, Zeltser notes that a malicious program compressed by a commercial packer, in this case Themida, was captured in the ISC honey pot.

He adds that malware can use virtual machine detection as a self-defense mechanism because the program can refuse to run in the presence of virtualization software, such as VMware, which is often used by malware analysts.

Though they aren’t a new threat, it now appears that there may be ways to thwart such attacks.

Zeltser recommends patching for the malicious code so that the routine never executes, or modifying VMware instances to make it more difficult for the malicious program to detect that it’s running in a virtual machine.

Two ISC readers took it a step further and suggested developing a mechanism to configure non-virtualized systems to look like virtual machines. Zeltser said, “This approach could fool malicious software into thinking that it’s running in an analyst’s environment, and it would refuse to run. This might be an effective way to immunize your systems against certain infections, making it less useful for malware to check whether it’s running within VMware.”

-Shawna McAlearney

Related Link:

• Microsoft OS Exploited by Attack Code

Keep checking in at our Security Feed page for updated news coverage.