When the hammer falls - effects of successful widespread disinfection on malware development and direction
Matt McCormack Microsoft
download slides (PDF)
The arms race between the anti-virus industry and concerted malware
developers continues to escalate. Microsoft's Malicious Software Removal
Tool (MSRT) is executed on over half a billion computers every month, giving
it a huge execution base and an unparalleled view of malware operations. In
their first month of targeting by MSRT, the Win32/Cutwail and Win32/Nuwar
families yielded an infection spread of almost half a million distinct machines
between them. MSRT's monthly release provides a unique snapshot of the
Windows ecosystem, and of the sledgehammer effect the tool has on the
targeted families; an effect that can hardly be ignored by the malware's
authors. With so much money at stake, it appears that the Malware
developers do not go down without a fight.
This paper couples analysis of the major malware families targeted by MSRT
with the telemetry it gathers, in order to provide a perspective on how
malware authors quickly respond to the massive impact on their networks
after each release. Analyses of the techniques used to evade the MSRT are
presented. A look at the engineering evolution of each of these families
with respect to MSRT releases is also explored.
VB2010 will take place 29 September - 1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada.