Darwin inside the machines: malware evolution and the consequences for computer security

Peter Ször Symantec
Dimitris Iliopoulos and C. Adami Keck Graduate Institute of Applied Life Sciences

Recent advances in anti-malware technologies have steered the security industry away from maintaining vast signature databases and into newer defence technologies such as behaviour blocking, application white-listing and others. Most would agree that the reasoning behind this is to keep up with the arms race established between malware writers and the security community almost three decades ago. Still, malware writers have not as yet created new paradigms. For example, malicious code evolution is still largely limited to code pattern changes utilizing polymorphic and metamorphic engines. Each new malware instance retains the exact same core functionality as its ancestor and only alters the way it looks. What if, instead, malware were able to change its function or behaviour autonomously? What if, in the absence of human intervention, computer viruses resembled biological viruses in their ability to adapt to new defence technologies as soon as they came into effect?

In this paper, we will provide the theoretical proof behind malware implementation that closely models Darwinian evolution.

Biological viruses are under constant attack by immune systems and artificial drugs. Yet they systematically manage to evolve new functionalities that circumvent such countermeasures, leading to recurrent epidemics. According to the biological analogy, malware will be able to alter its functionality by autonomously incorporating behaviours freely available to it by the numerous discoverable APIs. The new behaviour profiles would be constantly screened by security software in the same way natural selection acts on biological organisms. In the end, the malware instances that are better equipped to survive countermeasures will be able to proliferate more efficiently. Such malware pose a real threat to the current methods of detection due to the vast numbers of functions they can adopt that cannot possibly be screened for. Furthermore, it is likely that clean program functionality will be favoured amongst such behaviours since it shields malware that is mimicking clean programs from behaviour blocking. As a consequence, we predict behaviour-based virus detection would quickly become ineffective if malware can evolve based on the Darwinian paradigm.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The material presented is so interesting that it would be worth attending VB just to get my hands on the proceedings. I especially enjoyed the last-minute presentations.’

Quick Links

Poll

When do you install software updates?
Leave a comment
View 12 comments

virusbtn: RT @emailsecmatters: The typical spam message has sources as diverse as the spam lunch meat: http://ht.ly/2yucd
2 hours ago

virusbtn: Can anyone write a rap about our RAP tests (http://bit.ly/255ySQ) and submit it to the Symantec competition http://bit.ly/bOJg8r
6 hours ago

VB100 certification

With another epic haul of 54 products to test this month, the VB test team could have done without the bad behaviour of a number of products: terrible product design, lack of accountability for activities, blatant false alarms in major software, numerous problems detecting the WildList set, and some horrendous instability under pressure. Happily, there were also some good performances to balance things out. John Hawes has the details.
See full results.

Virus Bulletin currently has 208,224 registered users.

Fighting malware and spam