Malware writers are taking their cat-and-mouse game with antivirus software makers up another level, using block ciphers that can even get the malware white-listed.
Kaspersky Labs said evidence of the block ciphers are starting to appear in banking Trojan programs in Brazil, making it hard for antivirus products to detect, let alone neutralize them.
“When used to encrypt the contents of malware executables, block ciphers can cause malware detection and analysis systems not to work properly. Block-cipher encrypted malicious links, for example, can be downloaded and analyzed, but not detected as malicious. If that happens enough, the malicious links can even become whitelisted – exempt from further checks altogether,” it said in a blog post.
It said a Kaspersky Lab expert came across the group of files, which he identified as Trojan-Banker.Win32.Delf.vh, while analyzing some potentially malicious links from Brazil.
The files contained encrypted malware that turned out to be a block cipher.
On the other hand, Kaspersky said administrators of the sites on which the malicious files are hosted will not be able to identify them. As such, the malware can remain untouched.
It added the creators of the Delf banking Trojan update mirror sites with new versions of the malware every couple of days, altering the encryption algorithm to complicate detection even more.
A separate article on PC World said this may thwart most antivirus software that rely on searching for patterns of data that are alike or similar to its virus definitions.
“Even more unfortunate, the wildcard characters could be hidden in another type of seemingly useful file (e.g. .jpeg files) that actually displays an image, and therefore, might not trigger the virus scanner at all. Could it get even worse? Yes, but to my knowledge, most, if not all, virus scanners also are incapable of determining what will happen when the decryption script is run–that is, they don’t actually execute the code to find out what will happen,” it said. — TJD, GMA News
View full post on National Cyber Security » Virus/Malware/Worms