« Welcome to the nth world commentaries | Main | Network access control: a folorn attempt to rebuild the perimeter »
February 28, 2005
Mutating malware: the coming storm
There are some amazingly powerful tools out there for changing the appearance of malware on disk. For instance, with Morphine, for UK50 pounds you can get a unique, mutated version of your malware, and to ensure that your malware will not be detected by antivirus (AV) scanners will cost a mere additional UK10 pounds per AV scanner. Another interesting tool is Execryptor, which will also mutate the code for of any piece of software (or malware!) you choose.
What these tools highlight is that there is a new problem with the old signature-based way of doing security. The signature-based approach that is the mainstay of the AV industry today is based on the assumption that any instance of malware (typically a virus or worm) is very common (worms and viruses tend to replicate, otherwise they are not dangerous). The expense and effort of developing a signature is only justified for malware instances that replicate on a large scale.
But now attackers are able to customize each malware instance for each particular task or attack - this is trivial to do with tools such as Morphine and Execryptor. Consequently, there is an explosion of unique instances of malware, and it becomes infeasible to use signatures as a defense, because we never see the same malware instance twice. By the time a signature is developed for a specific malware instance, it is too late to stop that instance, and you'll never encounter something like it again, so the signature is useless in perpetuity.
The storm is coming...