Hackers working for organised crime are getting more
sophisticated in their attempts to cover their tracks and ensure
that the malware they write is hard to detect and
remove.
According to security specialists at the Computer Security
Institute (CSI) in the US, the most popular techniques involve code
mutation methods to evade detection by signature-based malware
blocking tools; code fragmentation that makes removal harder; and
code concealment using rootkits.
The intention is to keep the malware as covert as possible to
allow it to work ‘under the covers’, perhaps logging keystrokes or
stealing passwords. Such code is completely different to the
mass-mailing worms such as MS Blaster and SQL Slammer, which have
caused havoc in the past.
An increasingly popular way of implementation is the use of
polymorphic code that constantly mutates. Many malicious hackers
use so-called "packers" to encrypt malware to evade detection; and
then use different routines for decrypting the code to create a
virtually unlimited number of mutations.
Swizzor, for example, which is a Trojan download program
discovered earlier this year, repacked itself once a minute to get
past signature-based tools that work only if they know precisely
what to block. It then recompiled itself once an hour.
Given the complexity and sophistication of these methods, the
‘good guys’ face an uphill task in countering the threats – unless
they start to act like hackers themselves.