Who Digs the Elephant Trap?
Thursday May 28, 2009 at 4:10 am CST
Posted by Igor Muttik
It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.
Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.
Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.
As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..
We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.
The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.
May 30th, 2009 at 05:01
As a very ordinary user indeed I am very confused indeed! But not by the excellent clarity and authority (it seems to me) of your writing Igor. What i would like to read is the real truth about what an it-dimwit like me can actually DO, and if there is a browser out there that caters for the non-geek, and has built-in safeguards, but above all, has a ‘help’ system that I can study off-line. I recently installed Opera, but simply cannot understand how to work it, for all the beauty of its interface. Please try to find time to help me. Bob.
June 14th, 2009 at 23:15
[...] Muttik opens a recent post by suggesting that anti-malware technology is digging an elephant trap for us all because of the [...]
August 27th, 2009 at 09:18
[...] previous noted on our blog, the growth rate of malware (notably PC malware) is partly due to the success of [...]