Kaspersky Lab has announced that it has been granted a US patent on a system which helps to detect malware modified using packers or encryptors which have not previously been identified by researchers. The technology is already integrated into the company’s key security solutions for home and corporate users.
Packers and encryptors (which can be regarded as a type of packers) create a container file which includes a version of the original programme and code needed to unpack or decrypt it.
Cybercriminals use these tools to modify malware in order to complicate its detection by security solutions. The technique enables them to change a programme’s binary files as a way of evading signature-based scanners. Even if a security product’s antivirus database includes a signature for the original malware sample, it will be unable to detect the compressed version of the malicious programme.
Programmes modified using popular packers can be detected using heuristic rules; however, if attackers create their own packer with a unique algorithm, detecting the threat is a much more difficult task.
Kaspersky Lab’s newly-patented technology provides a method of analysing objects which creates a special profile for each new packer, providing a general description of its behaviour. The profile subsequently enables the security solution to detect malware modified using a packer based on the operations it performs when launched.
In practice, the technology works as follows: first the antivirus solution determines – using its own set of rules – that the suspicious file under analysis may have been modified using an as-yet-unknown packer, then the solution turns to the technology patented by Kaspersky Lab.
This technology in turn emulates the execution of the file being scanned and logs all the operations performed by the code responsible for decrypting and launching the malware. These operations are sorted and undergo machine analysis in order to create templates describing the packer’s behaviour.
In the final stage, a profile is created based on the data generated, which can be subsequently used to detect other files modified using the packer in question.
“While in the past analysing the behaviour of packers was generally impractical, this technology makes it possible to analyse objects in greater detail and as a result improves the quality of protection enjoyed by users.
“In addition, the technology provides a method for describing the behaviour of as-yet-unknown packers in a form that can be used by a security solution and at the same time remains intelligible to analysts,” comments Maxim Golovkin, a Kaspersky Lab malware expert and the author of the newly-patented technology.
The newly-patented technology is already implemented in flagship Kaspersky Lab products such as Kaspersky Internet Security and Kaspersky Endpoint Security for Business.
The innovative nature of the technology is confirmed by patent 8555392 issued by the United States Patent and Trademark Office.
Kaspersky Lab’s research and development department has a staff of about one thousand people, enabling the company to develop cutting-edge technologies, many of which are patented. As of early October 2013, the company’s patent portfolio included 174 patents issued in the US, Russia, the EU and China. A further 211 patent applications were under consideration.