The Way Business Is Moving published by
Issue Date: June 2007

The new stealth threats

21 June 2007

78% of new malware uses file packing to evade detection.
A study carried out by PandaLabs has revealed that 78% of new malware uses some kind of file packing to evade detection. A packer is a program used to reduce the size of an executable file, generally through compression. However, these programs can also be used to protect copies of malicious code installed on computers or to make it more difficult for antivirus solutions to detect them when they are distributed.
"There are many different packers," explains Jeremy Matthews, CE of Panda Software South Africa. "According to the PandaLabs study, UPX is the most common and is used in 15% of the malware detected. PECompact and PE, are used in 10% of cases. However, there are more than 500 types of packers that could be used by cyber-crooks.
Very often, these tools allow cyber-crooks to combine several malicious files in a single packer. This both hinders detection and allows a malicious code to download copies of other strains more effectively.
"The problem is when to detect this malicious code. Most are packed with legal programs, and it is not possible to distinguish between goodware and malware just by the packer. What is the solution? In the case of e-mails, there has to be a system to detect them before they reach the computer. Security solutions have to be able to detect packed malware before users execute it," confirms Matthews.
Some of the most prominent malicious codes in recent months used packers, such as the Conycspa.AJ Trojan, which downloaded several other malicious codes, the Clagge.G Trojan and the Rinbot.Q worm, which spread by exploiting several Windows vulnerabilities.
Another important and relatively unknown danger comes in the form of binders or joiners. These are programs designed to join two or more files together.
These tools are used by hackers to hide their malicious creations within an apparently inoffensive file. For example, the execution of a Trojan could be combined with the viewing of a photo with a .jpg extension. When a user views the photo, they will also be running the Trojan.
Another method of protecting files that contain malware is scrambling. This is a series of files, similar to packers, that can hide executable files.
This technique involves encrypting the code of the malware itself. To be able to run when they reach a computer, these malicious codes have an internal decoder. The worms in the Feebs family, for example, use this technique to hide themselves.
"The most dangerous thing about this technique is the customisation. The sharpest hackers can create their own encryption codes. Malware concealed in this way will be the most difficult to detect," concludes Matthews.
All users that want to know whether their computers have been attacked by this or other malicious code can use TotalScan (which now detects one million threats) or NanoScan beta, the free, online solutions available at:
For more information contact Alex Matthews, +27 (0)21 683 3899.

Others who read this also read these articles

Search Site


Previous Issues