The malware of the future may come bearing real gifts

October 12, 2014 – 1:03 PM

“What,” asked the speaker. “if Notepad behaved just like you would expect it to, but only for the first hour or so that you used it? What if it began to do different things after that?”

According to Giovanni Vigna, a professor at the University of California, Santa Barbara, and the head of the Center for CyberSecurity and Seclab there, such possum-like behaviour and long-term thinking represents the future of the malware arms race.

Speaking at IP Expo today, Prof. Vigna outlined scenarios in which an increasingly sophisticated and opaque breed of malicious executable will evolve to ‘mimic’ the behaviour patterns of benign software, in an attempt to avoid wasting its payload behaviour on a sandbox or virtualised environment.

Three thousand previously unidentified malware entities flood the network every day. Many are old ‘friends’ repackaged to generate hashes unfamiliar to the databases of BitDefender, Symantec and other anti-malware companies, and this guarantees them at least an hour in the wild, if not a whole ‘zero’ day.

But others are genuinely evolutionary. Instead of sprinting for a buffer overflow, some malware now demonstrates incredibly circumspect behaviour upon launch. The first thing the entity wants to know is if it is running in front of a real user and in a real system, and to this end it has developed an ever-growing map of tell-tale signs that it might not be in Kansas after all.

Source:
http://thestack.com/mimicry-in-malware-giovanni-vigna-081014