Archive

Archive for March, 2008

Panda ActiveScan 2.0

March 31st, 2008 24 comments

We've been working very hard over the last few months to integrate all our online scanners (ActiveScan 1.0, NanoScan & TotalScan) into a single new scanner that rules them all. The result is the new Panda ActiveScan 2.0 (www.pandasecurity.com/activescan) which we're about ready to publish between today and tomorrow.

In addition to detecting and disinfecting all types of malware (virus, worms, trojans, ad/spyware, rootkits, etc.), it also integrates some of our latest detection technologies which we have been playing with:

  • Genetic Heuristics Engine to detect unknown malware and new variants.
  • Specialized heuristics for cybercrime and identity theft trojans.
  • Anti-rootkit technology for detecting acitvely running rootkits.
  • Scanning from the cloud uses Collective Intelligence community detections of malware & goodware processes loaded in memory.

One of the new and interesting things we're doing with ActiveScan 2.0 is tracking the infection rates of PCs that are infected even though they are using an up-to-date antivirus. And we're also tracking this on a per-vendor basis. Therefore we are able to see the percentage of Symantec users who are infected even though they are up-to-date, McAfee users, Trend users, Panda users, Kaspersky users, etc.


Last year I published a research study about infection rates on protected systems where we saw that a whopping 23% of the PCs that had up-to-date antivirus products were actually infected with malware.

Categories: Malware, Utils Tags:

Packer (r)evolution

March 19th, 2008 8 comments

We
know for sure that cyber-criminals use private tools to check AV detection prior to releasing new malware in the wild, making sure it goes undetected by
AV signatures at the time of release. As AV companies identify new packers and
are able to inspect inside them (or simply identify the malicious packer itself),
the bad guys are releasing those which are not detected by most AV.

 

This
has transformed the packer world significantly. The "big name packers" are
decreasingly being used by malware. By contrast new packers types are surging
which have two main characteristics: (a) they are not widely used in order to
stay below the radar and (b) they use obfuscation or anti-debugging techniques.


What
we're seeing is that:

  • Increasingly,
    malware families use their own 'customized' or ‘private’
    packers, which are not recognized by most AV engines.
  • There's
    a large variety of packers, each with its own little variations, being
    used by a reduced number of malware variants.


The
strategy these criminals are following is to quickly develop customized
variants of packers and use them in very few samples. By the time the AV
companies identify the samples and add the unpacking routine to their engines,
they already have a new batch of packing variations in store which is being
applied to the next batch of samples.


As
an exercise we’ve analyzed all the samples Panda has seen in-the-wild (actively
infecting two or more different sites) since August 2007 to March 2008 and
looked at the ‘big name packers’ used by these:

 

It’s
interesting to see how the ‘big name packers’ such as UPX, PECompact, Themida, PEtite
and NSPack are dropping in use, while smaller packers such as nPack, PolyEnE and
EXECryptor have increased in a significant way.

 

But what’s most interesting is what is not seen in the above summary
chart, and that is the ‘customized’ or ‘private’ packers. We know for a fact
that approximately 90% of malware uses some sort of packing or obfuscation
technique, yet the proportion of private, non ‘big name packers’ is increasing
rapidly.

Could
this be the start of the
long-tail of packers?

But
when we try to analyze the true reasons behind this evolution in packer use
that’s when it starts getting really interesting. Other than the obvious reason
which is that bad guys are trying to make our jobs harder at the lab, how come
they started creating customized and private packer versions on a very regular
basis?

As
this is a cat and mouse game, the mice’s next move is directly determined by
the cat’s strategy for catching the mice. If we apply this example to the
packer/malware world, there are two main events in the AV industry which I
believe have driven malware authors to go into ‘packer-craze’:

  1. The
    addition of many unpacking routines in AV engines as new packers emerged.
  2. Starting
    to detect malware based on its packing properties without unpacking it
    (multi-packed files, packers used exclusively for malicious purposes,
    etc.).

Now
I’m not saying the above actions are wrong. They were necessary at the time in
order to correctly protect customers and continue being necessary today if we
want to keep the pace.


I
remember a conversation with my colleague Mark from Symantec last year where we
talked about precisely this issue. If we start detecting all packers
proactively, what will the bad guys do next? I guess we’re about to see as the
packer problematic has completely blown out of proportion.

Categories: behavior analysis, Packers Tags: