About Me

Igor Muttik

Igor Muttik
Senior Architect

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Who Digs the Elephant Trap?

Thursday, May 28, 2009 at 4:10am by Igor Muttik
Igor Muttik

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • Alexey February 14, 2011 6:06AM

    Interesting point of view.
    Antivirus developers instead to do their original job, trying to shift it to application developers.
    You are wrong. We, as application developers don’t have to care of antiviruses. It’s antiviruses should care how to make it right. Let everybody make their own job. If you can’t write reliable antivirus, leave the market. Today we have a lot of so-called antiviruses which hardly can be called as such.

    Reply
  • jeje j January 10, 2011 3:26PM

    From what i can tell you want all of the developers to stop protecting their software?

    If we do not use these protections then we lose profits. You may have heard about software crackers?

    These companies need to put in a way to scan the original file before it could be protected and if found positive. Deny the action.

    But instead you persist for all developers to lose profits!

    Reply
  • Richard October 2, 2010 5:33AM

    The solution is not to get software authors to stop using protection (on which our business partly depends), it’s to get the protection companies and anti-virus people to start collaborating to solve the problem. But the antivirus crowd don’t particularly care since it’s not their income that is being harmed.

    Reply
  • Bob May 30, 2009 5:01AM

    As a very ordinary user indeed I am very confused indeed! But not by the excellent clarity and authority (it seems to me) of your writing Igor. What i would like to read is the real truth about what an it-dimwit like me can actually DO, and if there is a browser out there that caters for the non-geek, and has built-in safeguards, but above all, has a ‘help’ system that I can study off-line. I recently installed Opera, but simply cannot understand how to work it, for all the beauty of its interface. Please try to find time to help me. Bob.

    Reply