Transform, fragment, hide: new mantra for hackers

Malware is being strengthened as more and more new types of code are difficult to detect and remove.

Security researchers at the Trade Conference of the Computer Security Institute in Orlando have warned that hackers with criminal intentions are continuing to promote complex sophistication in working methods and tools. dynamic. Detecting traces and preventing them will become more difficult.

The most common method of malware of this type is the source code conversion technique, designed to evade detection of trace-based malware block tools; Source code fragmentation techniques make it harder to remove and mask source code through rootkits.

Source: antispam Unlike large e-mail-spreading worms like MS Blaster and SQL Slammer, today's malware program is mostly designed around intruding systems.

The main purpose of developing these malware is not only to attack as many systems as possible, but also specifically to steal information and data on the computer.

The way to use diverse source code is constantly changing. Many black hat hackers now also use "packer" to encode malware, avoiding detection. Others use different types of orientations for decoding source code to create unlimited virtual variations.

Typical examples are Swizzor, a Trojan download the program discovered earlier this year. It encapsulates itself in a one-minute cycle to 'bypass' trace-based detection tools that only remove what they know to be malicious. Swizzor also "re-edited" herself after an hour. Source code editing is a sophisticated transformation strategy for hackers to bypass blocking systems.

Many spyware programs have been upgraded with popular encoders or detection techniques to avoid detection. If proprietary encryption algorithms have been used, it is a mistake to use more general algorithms or open source algorithms - Gerhard Eschelbeck, executive director of Webroot Software software company in Boulder, Colorado (USA). ) to speak.

Spyware programs also use kernel level and process block techniques to actively prevent the operation of antispyware software.

According to Ralph Thomas, program manager for malicious code operations at iDefense, the VeriSign branch of Reston (USA), modern malware programs are also being designed in a self-parsing way into several components. same dependency when installed on a system.

Each fragment or component has the ability to identify other components. When removing an element, the remaining components will automatically produce or reinstall themselves immediately. That makes it difficult to remove them from the infected computer.

An example of this type of malware is WinTools, which has been available since 2004. It is installed on the toolbar with three separate components on the hacked system. Any attempt to remove one of the malware's components simply causes other components to change or restart deleted files.

The natural fragmentation of this type of code causes the scripts to be written down to eliminate and see if all the malware has actually been removed or not become more difficult.

The problem is getting more and more complicated when hackers use a rootkit to mask malicious code. Rootkits can be installed at the operating system level or on a kernel level module to hide malicious code and programs from malware detection tools.

A malicious program called Haxdoor - a virus variant that once stole information from 8,500 computers in 60 countries in October is an example. Haxdoor used to steal passwords, keyboard information and screen points on computers that were attacked and send them to remote services.

It is also used to disable system firewalls and hide itself in a rootkit on the compromised machine.