Automatic virus generators

From Total Malware Info

Jump to: navigation, search

Author: Vitaly Kiktenko, Virus Analyst.

During last 2 years the number of malicious programs highly increased and continue rise. This is linked with the creation of the specialized systems for automatic virus creation. It is a new level of evolution in anti-virus bypass systems used in malware creation. The goal of creating such system were to make signature check, used in most anti-virus product uneffective. Main idea of such systems is the following: automatically produce new malware modification right after the current modification is added to anti-virus malware definitions.

This system determines the fact of detection of the new modification by the anti-virus software and, if so – automatically creates a new modification using modified encryption schemes. This new modification is then transferred to the users via email.

In such a way the criminals are allways a step ahead of antivirus companies, an example is email worm – Email-Worm.Win32.Warezov.

System consists of the following parts:

  • Detections check unit. Its task is finding out when the existing modification is being detected by antiviruses.
  • Polymorphic encryptor. When the fact of detection of the current modification is confirmed this module does a mutation of current modification: body is being encrypted with new keys and algorithms. New algorithms are generated using the substitution and replacement rules for equal operations. So, after the new anti-virus definitions are released by the AV company – instantly a new mofication of virus is released by criminals.
  • A system of delivery of new modifications to the users is usually a spam-bot for sending emails containing the newly compiled virus modifications.

Algorithm of the system described above is shown at the fig. 1.

Virus creation system
Figure 1. Virus creation system

New modification is spread via internet and infects user’s computers. When it comes to AV companies – they release urgent updates. After that users update their virus definitions and remove the viruses from their computers. Then malware generation system also downloads the updated definitions and checks weather the virus is detected. If so – it encrypts the malware source binaries to make it undetectable and spreads it via spam email. In such a way user’s computers are being infected on and on in an endless loop while anti-virus definition bases soon will grow to millions of records.

When polymorphism level is high it becames very difficult to create a generic detection using simple bit-masks. AV companies go forward in researching a heauristic methods based on behavioral analysis and emulation, wich is one of the possible solutions in detecting such new virus modifications proactively without need of updating the AV definitions.

Retrieved from "http://www.totalmalwareinfo.com/eng/Automatic_virus_generators"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.