Kaspersky Lab has been granted a US patent on a system that aims to detect malicious code that has been modified using packers or encryptors that have not yet been identified by researchers.
Packers or encryptors are used to obfuscate the malicious software. They create a container file that includes a version of the original program as well as the code that is needed to decrypt it.
"Cyber criminals use these tools to modify malware in order to complicate its detection by security solutions," says Kaspersky.
In this way, attackers are able to change a program's binary files as a means to bypass signature-based scanners.
"Even if a security product's anti-virus database includes a signature for the original malware sample, it will be unable to detect the compressed version of the malicious program," the company explains.
Maxim Golovkin, a Kaspersky Lab malware expert and author of the newly patented technology, says although heuristic rules can help detect programs that have been modified with packers, should an attacker create his own packer with a unique algorithm, detecting the threat is far more difficult.
He says the new tech offers a means of analysing objects, which 'creates a special profile for each new packer, providing a general description of its behaviour'.
In this way, the profile gives the security solution the capability to detect malware modified using a packer based on the operations it performs when launched.
Golovkin says the tech has already been integrated into Kaspersky's home and business solutions.
Share
