A study carried out by PandaLabs has revealed that 78 percent of new malware uses some kind of file packing to evade detection. A packer is a program used to reduce the size of an executable file, generally through compression. However, these programs can also be used to protect copies of malicious code installed on computers or to make it more difficult for antivirus solutions to detect them when they are distributed.
There are many different packers. According to the PandaLabs study, UPX is the most common and is used in 15 percent of the malware detected. PECompact and PE, are used in 10 percent of cases. However, according to PandaLabs, there are more than 500 types of packers that could be used by cyber-crooks.
“In essence it is a stealth technique. The increasing use of these programs highlights how keen Internet criminals are for their creations to go undetected,” explains Luis Corrons, technical director of PandaLabs.
Very often, these tools allow cyber-crooks to combine several malicious files in a single packer. This both hinders detection and allows a malicious code to download copies of other strains more effectively.
“The problem is when to detect this malicious code. Most are packed with legal programs, and it is not possible to distinguish between goodware and malware just by the packer. What is the solution? In the case of emails, there has to be a system to detect them before they reach the computer. Security solutions have to be able to detect packed malware before users execute it,” confirms Corrons.
Some of the most prominent malicious codes in recent months used packers, such as the Conycspa.AJ Trojan, which downloaded several other malicious codes, the Clagge.G Trojan and the Rinbot.Q worm, which spread by exploiting several Windows vulnerabilities.
Other stealth techniques
Another important and relatively unknown danger comes in the form of binders or joiners. These are programs designed to join two or more files together. These tools are used by hackers to hide their malicious creations within an apparently inoffensive file. For example, the execution of a Trojan could be combined with the viewing of a photo with a .jpg extension. When a user views the photo, they will also be running the Trojan.
PandaLabs has already detected several examples that use this technique, such as some of the Trojans in the Mitglieder family (which open an image when they are run).
Another method of protecting files that contain malware is scrambling. This is a series of files, similar to packers, that can hide executable files. This technique involves encrypting the code of the malware itself. To be able to run when they reach a computer, these malicious codes have an internal decoder. The worms in the Feebs family, for example, use this technique to hide themselves.
“The most dangerous thing about this technique is the customization. The sharpest hackers can create their own encryption codes. Malware concealed in this way will be the most difficult to detect,” explains Corrons.