A road to big money: evolution of automation methods in malware development
Maksym Schipka MessageLabs
Technical stream: Wednesday 19 September 2007, 11:00 - 11:40.
Malware writers keep looking for better and better ways to increase the window of vulnerability between the release of
malware and AV researchers producing and rolling out signatures. So far, we have seen many attempts to do so by
writing heavy polymorphic viruses, utilising packers, altering several bytes that would affect the signature, many
variants of the same malware released within a short period of time. What is the next step? I believe we are already
witnessing this next step - offline polymorphism. It is much less complicated - and yet more difficult for us to deal
with - compared to the 'real' or 'online' polymorphism. It hides the algorithm used to morph malware from the AV
researcher, at the same time utilising much more resources to do it compared to resources available on the target box.
There is a different type of offline polymorphism - where the downloader is dispensable and the malware on the
downloader's location is changed frequently.
I will examine statistics MessageLabs has on the appearance of new malware from the same family and by looking at
different variants of Bagle, Warezov, Stormy and others, compare their windows of vulnerability and changes between
variants. After doing so, I will try to deduce what level of automation the bad guys have achieved already, what else
they could do in the future, and conclude with drawing some trends in malware automation and offline polymorphism.
This hopefully should help the AV vendors understand the importance of generic signatures and heuristics, as well as
allow them to have good justification for spending extra time on those.
