Polymorphic malware attacks and in-line scanning

The number of malware threats (viruses, worms and Trojan horses) is increasing exponentially. In addition, the financial loss associated with these exploits has been increasing, largely because the malware authors are becoming more focused on specific financial targets. Malware writers are finding lucrative employment in writing targeted code that lasts longer in the wild, is harder to detect, and uses newly developed "X-morphic" engines that make the exploits truly polymorphic.

Since many new variations of polymorphic viruses and other malware have the ability to change themselves each time they replicate, they are difficult to detect with antivirus software programs designed to recognize viruses based on their specific signatures.

Like a polymorphic virus, mutating malware can change appearance in host programs by encrypting its body with a different key each time, while other malware designers use "packers" to encrypt malware to evade detection. Swizzor is an example of a Trojan Horse that repacked itself once a minute to get past signature-based tools, and also recompiled itself once every hour.

Swizzor is a malicious and extremely difficult to remove adware program that is a variant of the Lop parasite. Swizzor malware uses random filenames and registry key names to prevent detection and removal. When running on a computer, this parasite will attempt to connect to lop.com, maximumexperience.com, trinityacquisitions.com, and other questionable sites. It will also generate a large number of popup adverts.

Therefore, in an effort to keep in front of zero-day threats and identify more types of malware, vendors have been developing products that extend beyond the original signature-based scanning model and include anomaly detection, heuristic scanning, behavior-blocking and in-line scanning techniques. Though this has been effective, it also puts pressure on the customer to implement multilayered scanning techniques and make frequent large investments in antivirus products.

An in-line scanner is a fairly new type of malware scanner that monitors incoming and outgoing email protocol traffic -- such as SMTP, POP3 and IMAP -- and can also examine HTTP and FTP traffic passing on the customer's network. It is usually built into the firewall and can be a valuable addition to both server and desktop-based anti-malware implementations.

However, in-line scanning presents several issues. Often the scanning is relegated to well-known ports, like HTTP on TCP port 80, so it may miss malware using unique port numbers. On the other hand, if the in-line scanner was configured to scan all possible ports, it would likely slow the network considerably and make the process impractical for many network environments. Another drawback to in-line scanning is that it scans only the data transmitted on the wire, and doesn't scan the desktop, so it can miss SSL-encrypted packets and other email attachment formats.

While these and other issues are still being addressed by antimalware vendors, the best solution for your customer is usually a combination of techniques and products, using both in-line scanning and signature recognition tools combined with a rapid response policy.

Remember, the bad guys are coming at you from many directions, and it's just not good business practice to rely solely on one type of protection.

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.

Rate this Tip To rate tips, you must be a member of SearchSecurityChannel.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Antimalware Strategies and Techniques Malware removal without antivirus software Email filtering: Choosing a content filtering tool for your customer Use hosted email filtering for virus protection Re-route virus traffic to the bit bucket Content filtering: An integrated approach How to use an ISA Server as an SMTP filter Filter URLs to reduce information security threats Use egress filtering to prevent DoS attacks Antivirus software patch management Windows Vista malware protection Computer Viruses, Worms and Malware What is the future of antivirus or antimalware software? Checklist: Five steps to assessing a customer's antivirus protection Top security book excerpts of 2007 Virtual honeypots: Tracking botnets Tracking botnets Defending against bots Case studies Botnets summary SSCP Domain 7: Malicious code -- Blocking file extensions Trend Micro warns of substantial Trojan attack Information Security Threats Top security tips for solutions providers Common injection attacks Checklist: Five steps to assessing a customer's antivirus protection Use hosted email filtering for virus protection Re-route virus traffic to the bit bucket Five steps to cleaning a virus-infected Exchange server Filter URLs to reduce information security threats Malware incident-response team creation strategies for the channel Use egress filtering to prevent DoS attacks Antivirus techniques -- Integrated content filtering RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.