return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Awareness in worms: shutdown in the face of antiviral analysis ]

Awareness in worms: shutdown in the face of antiviral analysis

  #

This is one of those wonders of why it didn't happen sooner: marrying malware to environmental awareness of its surroundings so that it can take evasive action.

Leave aside that the worm, called Atak, seems to have a modest payload that may attack other worms as (a) that may merely be a proof of function effort or (b) it may be one of a growing family of malware that seek to persevere by destroying their competitors. The important thing is that Atak goes beyond the multiple levels of passive armoring to thwart detection and removal:

"It is standard for worms to have layers of encryption--or armoring--to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down."

Now that worms have moved from passive defense to active evasion, one can look beyond this easily enough to envision worms that go on the attack, and very likely selective attack based upon its environment and the analyzer.

Worm sleeps to avoid detection
By Munir Kotadia
CNET News.com
July 13, 2004, 6:53 AM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  

discussion

  discuss this article


<<  |  August 2019  |  >>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
view our rss feed