He just happened to be flying back from jfk when a few deep thoughts came to mind about evading the holy grail of automatic malware classification that he posted on DailyDave:
“Given that avoiding “behavioral signatures” is a matter of calling random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), Halvar’s program classification techniques involve a structural differencing engine. This has advantages (see his talk for details) in that program structure closely reflects the semantic meaning of a program, as interpreted by a compiler.
So the obvious way, from what I can tell, to defeat a structural differencing algorithm would be to do a static or dynamic analysis of your target program, and for each CALL opcode, change the destination to a dispatcher function. This dispatcher function can then be built to do a O(1) table lookup to find the true destination of the call.”
I like the way Dave thinks. Unfortunately, other folks do too, and all sorts of evasive techniques are commercially available. That means the techniques are available to the bot herders, and it appears in our labs that the herders are distributing most of their bots packed with this stuff now.
- dorrie on Bin Laden Story Brings an Abundance of Malware
- Sean Young on Warning: New rogue antivirus – ThinkPoint
- PC Tools on Top 5 Fake Security Applications in the 1st Quarter of 2011
- Mr Zoolook on The FBI and the Case of the YouTube Crazy
- Ringman on Top 5 Fake Security Applications in the 1st Quarter of 2011
Tag Cloudanonymous antivirus black hat SEO botnet businesses capacitors computer virus cybercrime cyberwarfare economy facebook fake av foreign hackers fraud google hackers hacktivism identity theft internet security koobface law malware online shopping password security phishing politics removal guide reports rogue antivirus scams scareware search engine poisoning SEO poisoning social engineering social media social media malware social networking spam tips trends trojan Twitter virus worm zeus