Right now we are dealing with about 25,000 new malware samples per day. From time to time we remember the old days, when we were almost fighting each other in order to disassemble the latest virus we had received in the lab. Well, what were you expecting? We're freaks 😉
But the real thing is that nowadays most of the malware are Trojans, rogueware, etc. We are talking mainly about non-polymorphic and non-viral malware, and the major problem we may find are some packers or similar stuff trying to avoid AV signature detections, not a big deal when you have technologies such as TruPrevent, that are watching the behaviour of the program rather than the static file itself.
Malware evolves, and so do antimalware technologies. That’s why in our last Annual Report I was expecting that this year we would see an increase in the use of old techniques as a way to evade some of the technologies that the top AV vendors are using –> old viruses tricks, mixing virus & Trojans behaviours, etc. It turns out that we have seen this change already happening. The first week of February a new virus appeared, we called it W32/Sality.AO.
Why is this new variant of a well known file infector worth mentioning? Well, first it is smart enough to avoid being too promiscuous, as it will not scan the whole hard drive looking for files to infect, but will just infect some files upon running the malicious code and will also infect any new files that we run in our computer. Furthermore, it is using very complex techniques to infect PE files: EPO, Cavity, different encryption layers… and not always in the same way, one sample maybe infected using EPO and 1 encryption layer, another one using EPO, cavity and 2 encryption layers, and so on. If this wasn’t enough, it connects to an IRC server in order to receive commands. Even more, it will try to download files from the Internet in order to infect our computer with more malware. It also infects (I’d rather say "modifies") .PHP, .ASP and .HTML files by inserting an iFrame tag into them. When visiting any of these “infected” files through our web browser, it will use an exploit in order to download and run a new file. This file is a double-malware, a Trojan downloader infected with a virus.
And here we were missing some good old polymorphic and self-replicating action. Another variant of W32/Sality just came in. Looks like we're not going to get much sleep tonight.