Hackers working for organised crime are getting more sophisticated in their attempts to cover their tracks and ensure that the malware they write is hard to detect and remove.
According to security specialists at the Computer Security Institute (CSI) in the US, the most popular techniques involve code mutation methods to evade detection by signature-based malware blocking tools; code fragmentation that makes removal harder; and code concealment using rootkits.
The intention is to keep the malware as covert as possible to allow it to work ‘under the covers’, perhaps logging keystrokes or stealing passwords. Such code is completely different to the mass-mailing worms such as MS Blaster and SQL Slammer, which have caused havoc in the past.
An increasingly popular way of implementation is the use of polymorphic code that constantly mutates. Many malicious hackers use so-called "packers" to encrypt malware to evade detection; and then use different routines for decrypting the code to create a virtually unlimited number of mutations.
Swizzor, for example, which is a Trojan download program discovered earlier this year, repacked itself once a minute to get past signature-based tools that work only if they know precisely what to block. It then recompiled itself once an hour.
Given the complexity and sophistication of these methods, the ‘good guys’ face an uphill task in countering the threats – unless they start to act like hackers themselves.