Encrypted Virus Code: New Spin on Old Trick?

Some Internet security companies are warning about the dangers they say exist from a new level of cyber attacks based on dynamic code obfuscation. However, makers of top-rated antivirus protection software claim such warnings only amount to a new spin on an old hacker tactic.

Dynamic code obfuscation warnings have raised concern that such attacks could render virus signatures useless. Viruses containing encrypted code hide their payloads from antivirus scanning software and then decrypt once they enter infected computers.

This could happen because each time a computer visits a malicious Web site, it is vulnerable to a virus that has different encryption keys than the previous visitor. However, the tactic has been around for years.

"There is nothing new with hackers using encrypted code. Hackers have been doing this for years with viruses," David Perry, global director of education for security software firm TrendMicro told the E-Commerce Times.

The warnings being issued now describe what used to be called "polymorphism" or "mutation," he claimed.

"Most viruses today are encrypted," Perry added.

Something's Different

Some viruses are encrypted, Marco Peretti, CTO of New Hampshire-based BeyondTrust, acknowledged. However, the executable portion of the malicious code is not, he explained. BeyondTrust develops enterprise security products.

"In existing virus files, the main executable files remain the same," Peretti said.

Hackers are now modifying the executable file, according to Peretti. Detecting it can be a big challenge using conventional antivirus software.

His company provides a family of enterprise-strength security products. One product is designed to enforce a best computing practice based on least-privileged users.

IT managers can reduce the risk of encrypted viruses by running computers in a least-privileged environment, Peretti noted. Various products on the market help IT managers lock down computers to achieve this goal.

"Intrusive code would need administrative privileges to load kernel drivers," he suggested as an example.

Pack, Unpack

The technique called "code obfuscation" is nothing new, claimed David Marcus, security research and communications manager for McAfee Avert Labs. Scanning those hidden files is something antivirus software already knows how to do, he added.

"We deal with this every day," Marcus said. "Hackers pack the actual codes with an encryption program. We unpack them to analyze the content," he emphasized.

The only new possibility in the reports of innovative virus strategies, according to Marcus, is how hackers may be encrypting their payloads. Hackers may be using a new packing algorithm, for instance.

"If so, when we discover it, we may have to write a new unpacker to deal with it. We will have to wait and see, and look at the sample codes if they appear," Marcus concluded.

However, Peretti said that every time the virus spreads from machine to machine, its signature changes. Antivirus products can only take pieces out of the code and analyze it for signs of virus, he added, noting that the detection process is flawed.

Not a Trend

Both Marcus and TrendMicro's Perry acknowledged that antivirus companies are unconcerned about the reports of obfuscated virus code. Those warnings as nothing more than product spin, Perry said.

"People are just circulating old stories," he explained.

Perry sees two trends in viruses going on today. One is that virus writers are mounting smaller attacks on specific groups of computer users. The other is that hackers are recycling the same code previously used but are trying to make it look different.

"That is where the idea that hackers are encrypting code comes from," he said. "But this is nothing new code-wise."

Web Aid

BeyondTrust's Peretti said it is easy for hackers to test their encrypted, hidden virus components using various Web sites set up for consumers to check suspicious files. He offered as an example www.virustotal.com.

The Web site provides a free service for consumers to upload files for scanning by 28 antivirus software products. However, Peretti said this type of Web site makes it easier for hackers to encrypt their virus codes and test the effectiveness of the hidden portions to escape detection.

"This looks like a lost battle to me. A hacker can start with an old virus code and change it repeatedly. The modified codes can bypass detection. There is no simple solution available," he declared.

No Proof Yet

Nobody has actually observed any new virus strain using the obfuscated code. However, Peretti is convinced a sample will appear soon.

When a proof of concept example is found, the files will start triggering false positives in AV scans, Peretti predicted, but users won't be able to do much of anything about it, since the antivirus software will not be able to identify the source of the assumed rogue code.

To combat this threat, antivirus software makers will have to redesign their detection engines, making them slower to run and more complicated to use, he added.

TrendMicro's Perry agrees that nobody has seen the innovative virus encryption. If it is more than a possibility, though, he expects it to surface soon.

March, April and May have been busy times for new virus attacks in past years, he noted, and the unusually quiet interval now taking place may be the lull before the storm.

"Things are very quiet now. But it will get busy with new types of attacks soon," he warned. "Hackers are doing their homework on attacking Vista."