Polymorphic Malware the Threat Presented

Polymorphic Malware The threat presented to business through viruses and other forms of malware is a serious one, with losses in the U.S. estimated at billions of dollars (Sulaiman et al., 2005). It has been estimated that one in three computers has malicious code running on it (Hsu et al., 2006). There are many difficulties associated with not only the detection of polymorphic malware, but also the removal and subsequent system repair.

There are however various methods to reduce the risk of system infiltration by such malware, most of which centers around rigorous vigilance as to the way in which the system is used by employees, and regularly updating anti-malware software to ensure that the most current versions are always available.

Although there are still large deficits with regard to polymorphic malware detection in the current programs, it is an area of much research, and it is essential that all it professionals ensure that they keep abreast of such research in order to implement new measures as soon as they are available. Introduction Internet connectivity, which is today such a vital part of business, may also open the door to frequent attacks, allowing exposure and loss of critical information, potentially costing huge amounts in damage.

This threat usually takes the form of viruses, or other malicious code known as malware, which embeds itself in the computer. Polymorphic malware presents a particular danger in that the nature of the malware often allows it to replicate unchecked once it has infiltrated a system, and is notoriously difficult to remove even if it is detected. Further to this, even upon removal of the malicious code, the system may be left with many irreparable data files that have been destroyed by the malware, or leaked to competitors.

For this reason, it is critical that it professionals within enterprise are aware of the current methods of protection against such a threat, as well as staying abreast of advances in the field, to ensure that the most up-to-date protection is always in place. Definition of Malware Malware is the name given to any harmful, destructive or intrusive computer software; these include such entities as viruses, worms, Trojans or spyware. The most common type of virus is that which infects files or program libraries on an operating system.

Macro viruses can be hidden in the macros of documents and self execute when the file is opened; boot viruses infect the master boot record of the hard disk and will self execute the next time the computer is booted. A worm is a self-replicating code which does not need to be part of another program to propagate across a network. Trojans are disguised as legitimate software programs, but perform undesirable functions, which usually involve spying, or allowing back-door access.

Current Trojans often behave like viruses, self-replicating and infiltrating the system to ensure that even if the software is removed they are still embedded within the system (Rice and Martin, 2007). Polymorphic malware Polymorphic malware is specifically malware which is able to constantly morph, or change, which increases the difficulty in detection through common anti-malware programs. The morphing which the malware undergoes involves changing of the malicious code, and can take a variety of forms, such as filename changes, compression and encryption with variable keys (Xu et al., 2004).

Despite the changes in the code which the polymorphic malware will undergo, the essential function of the code will usually be preserved. Polymorphic malware is particularly effective at infecting large networks due to the ability to replicate undetected for short periods each time the code morphs, if the system is not suitably equipped to detect the malware immediately upon morphing (Rice and Martin, 2007).

The Threat from Polymorphic Malware Malicious code can affect the secrecy, integrity, data and control flow and functionality of the system; if a company's network is compromised in any of these ways there is the potential to cripple a business, or at least inflict large damages to company (Sulaiman et al., 2005). One of the greatest threats currently comes from automatic, pre-scanned, self-propagating attacks; these are able to scan at random until they find a suitable niche in which to place a piece of malicious code onto a host server.

This is then used as a base from which to attack other vulnerable servers, and can result in exponential growth of the malware, particularly if left unchecked. The number and intensity of malware attacks is on the increase, and so computer security companies, researchers and users are hard-pressed to find new services to defend against such attacks (Xu et al., 2004).

Difficulties with Polymorphic Malware The difficulties relating to established malware lie not only in the detection, but also in the removal and subsequent system repair which must take place; polymorphic malware may extensively modify a system. Although running an anti-malware program should be able to remove all the components of a piece of malware, it is not able to remove all polymorphic variants, nor restore infected data.

Therefore it is crucial that the polymorphic malware be intercepted before it is able to establish itself and morph within the system (Hsu et al., 2006). The main reason for which the malware is so difficult to guard against is that traditional anti-malware programs are unable to recognize any detected malware once it has morphed.

Even if the anti-malware program discovers the malware and adds its signature to the downloadable database for that program, the anti-malware program will still fail to detect the harmful code once the signature has changed by morphing; the anti-malware program will simply treat the code as an entirely new threat and will not be able to recognize that it has encountered the same piece of malware before.

Protecting the Network Many of the ways in which polymorphic malware is currently able to enter any system is due to a lack of vigilance on behalf of the user. There are several methods by which to decrease the risk to your network of malware infiltration; the most common of these are detailed here.

The increasing use of wireless communication devices has provided expanded opportunities for the spread of malware, and for this reason it is important to ensure that all hardware which has access to the network after using external wireless networks should be screened before being allowed access (Rice and Martin, 2007). There is growing concern that attackers are increasingly using e-mail as a method by which to spread polymorphic malware server-side without being detected by anti-virus tools.

The use of e-mail is a particularly effective method for mass distribution of malicious code across the Internet. The attackers are able to achieve this by creating a large number of variants of a malware and releasing them in short bursts, allowing new variants to be released before signatures are created to protect against the virus.

Another technique used by such attackers is an approach similar to that used by spammers, in which recipients are lured into opening the email and attachments by tabloid-style subject headers on the e-mail ("Commtouch: Malware Writers' Tactics Evolving," 2007). The best method to head off e-mail malware attacks is to only open e-mail from recognized senders and to immediately discard all other email.

This may not always be practical however, so one other approach would be to head off all email which does not originate from a recognized source, and send it to one account which is not on the trusted side of the network's firewall. This would allow all such mail to assessed properly in a safer environment before allowing it to go through into the system ("Commtouch: Malware Writers' Tactics Evolving," 2007).

There are companies who offer services to secure email communications by blocking incoming connections from malicious IP addresses, and it may be preferable for companies without the resources available for such it operations to employ such external services ("Commtouch: Malware Writers' Tactics Evolving," 2007). It is essential that no software is installed upon any system within the network that does not come from a reputable source.

There are many users who naively disable detection programs in order to install programs which are bundled with malware - there is no anti-malware program available which is able to protect the user from actively running malware programs if it is disabled (Hsu et al., 2006). Damage Limitation Aside from the methods detailed above by which the threat from polymorphic malware can be directly reduced, there are other methods which may help to limit the damage from any such malware which is able to enter the system.

The best method for dealing with the threat of such polymorphic malware programs is to employ multiple protective measures. A diverse range of blocking, filtering, detection and removal programs should be used to ensure that even if a piece of code morphs in such a way as to make it unrecognizable to one program, another program may still intercept the rogue code and remove it from the system.

It has been found that many of the polymorphic malware programs which have been recognized recently are able to bypass earlier versions of some anti-malware software, even where the databases have been kept updated. Therefore it has been suggested that it always preferable to not only pay a subscription to update software currently installed on the system, but to also install the latest software wherever a new version is released (Andrew, 2005).

All programs which are employed should be regularly updated to ensure that they are kept current, and should be run as often as possible to ensure that any threat present within the network does not embed itself too deeply, making it more difficult to detect and remove. If available, all possible auto-protect features should be enabled within the network, allowing the system to update itself automatically on a regular basis, and reducing the risk of malware infiltrating the network.

It is also recommended that frequent checks are performed for security patches and updates which are offered by Microsoft for Windows users, or by the manufacturers of other operating systems. Although enabling auto-protect and auto-update features on the system should ensure that these are installed as soon as they are available, it is important to check regularly, as the announcement may serve as an alert to malware programmers of possible areas in which the security of the system may be breached of which they were not previously aware (Andrew, 2005).

Take periodic snapshots of the system, so.