Malware vs. anti-malware, 20 years into the fray

From Robert Morris Jr. to mayhem, with tips for practical living

Another common malware trick is to simply disguise the bug du jour using a packer program. A packer, just like the Zip utility you probably keep around to compress and decompress files, squeezes the unsocial program into an unrecognizable format. Then, when the time is right, which is likely these days to be at some random time after it's arrived, the bug unpacks its luggage and starts making a mess of your PC. Other disguise techniques turning up include encryption and, for script-based attacks, obfuscation attempts.

The anti-malware people continue to come up with signatures for both old and new malware programs in all their various polymorphic, packed, encrypted, obfuscated "glory." As you might guess, this isn't easy. Antivirus companies now run labs 24/7 to generate up-to-date signatures for your security programs.

A more modern and efficient way to tackle malware is to look not at what the programs look like, but at what they're capable of doing. This technique is called heuristics. The term itself is taken from the Greek for "rule of thumb," and the practice, as conducted in the human brain, is a combination of creativity plus common sense. In the security-software "brain," it entails applying rules of behavior rather than simple pattern-matching.

For example, your anti-malware scanner might find it a little odd that a new program seems to have the ability to open your Outlook and Gmail address books without requiring any user commands. "Hmmm," the scanner says to itself, "This doesn't look good." And, of course, it's right.

Still another approach is to simply give the suspicious program some virtualized space from which the rest of the system is protected. This is called a sandbox -- to do its business and see what happens. If it tries to dance a fandango on your financial files, we know it's a baddie. Some programs provide for sandboxing; others require administrator setup.

Zeroes and heroes

You may have noticed something with all these anti-malware techniques: They're all reactive. That's not good. But as things stand now, there has to be a problem for the engineers to react to; only then can they release a program update to care of the latest problem. Zero days (a.k.a. 0days) are a by-now-familiar shorthand for security vulnerabilities for which no patch yet exists. Seeing what a zero-day vulnerability means for both sides of the malware fence provides a sense of how each manages the situation.

Malware writers may pass each other news of zero-day discoveries for days or weeks before the makers of the compromised software know there's trouble. In a few cases, researchers who haven't been able to get the attention of a large software vendor have gone public with their information, either to prove they had the knowledge or to shame the manufacturer into doing the right thing and patching up.

But even when it's no longer zero day, the game isn't over. The same day that a zero-day security problem in Vista is fixed, for instance, malware makers start working like beavers on speed to retrofit their malware to use that "fixed" security problem.

What's that you say? Why would they do that when the hole has been patched? They do it because with a gazillion systems running Windows, they know that the sooner they get their rejuvenated trash program out there, the greater number of vulnerable systems it'll still find during the remaining "vulnerability window."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about F-SecureGood GuysMicrosoftMITPLUSSecurityFocusSickSpeedSymantecThe Good GuysVIA

Show Comments