return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Awareness in worms: shutdown in the face of antiviral analysis


This is one of those wonders of why it didn't happen sooner: marrying malware to environmental awareness of its surroundings so that it can take evasive action.

Leave aside that the worm, called Atak, seems to have a modest payload that may attack other worms as (a) that may merely be a proof of function effort or (b) it may be one of a growing family of malware that seek to persevere by destroying their competitors. The important thing is that Atak goes beyond the multiple levels of passive armoring to thwart detection and removal:

"It is standard for worms to have layers of encryption--or armoring--to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down."

Now that worms have moved from passive defense to active evasion, one can look beyond this easily enough to envision worms that go on the attack, and very likely selective attack based upon its environment and the analyzer.

Worm sleeps to avoid detection
By Munir Kotadia
July 13, 2004, 6:53 AM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  
In order to post a message, you must be logged in
message date / author

There are no comments available.

In order to post a message, you must be logged in