As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies vendors develop. By using sophisticated methods to evade antivirus technologies, hackers continue to be relentless in their pursuit of damaging IT systems and gaining access to personal information.

In the past, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph itself into different variations to bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Emulation engines were designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This approach was dependent on the researcher's access to the polymorphic engine — meaning the logic had to be decoded before you could develop protection for specific mutations.

Hackers are shifting their interests from fame (among shady peers) to profit and go after financial gain by developing new and innovative ways to slip below the radar. Some of these methods are innovative and are evidence of thinking out of the box when it comes to crime. Hence the development of custom HTML injection by Banker Torjans, for example, to obtain protected information.

As we begin to map the evolution of malware, there are several themes using stealth and camouflage techniques, including:

  • Custom run-time packers (compression)
  • Server-side polymorphism

A major risk to security is the emergence of server-side polymorphism or “Crimeware as a Service (CaaS)”, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume; and PCs that are part of a botnet — a specific bot variant can mutate remotely via a command over HTTP. This is called crimeware as a service because the actual viral code does not actually reside on the host, but in the cloud — similar to a software-as-a-service platform. In other words, CaaS provides malware on demand to the infected host.

For the complete article written by myself please see the posting at SC Magazine online.