Maksym Schipka MessageLabs
Malware writers keep looking for better and better ways to increase the window of vulnerability between the release of malware and AV researchers producing and rolling out signatures. So far, we have seen many attempts to do so by writing heavy polymorphic viruses, utilising packers, altering several bytes that would affect the signature, many variants of the same malware released within a short period of time. What is the next step? I believe we are already witnessing this next step - offline polymorphism. It is much less complicated - and yet more difficult for us to deal with - compared to the 'real' or 'online' polymorphism. It hides the algorithm used to morph malware from the AV researcher, at the same time utilising much more resources to do it compared to resources available on the target box. There is a different type of offline polymorphism - where the downloader is dispensable and the malware on the downloader's location is changed frequently.
I will examine statistics MessageLabs has on the appearance of new malware from the same family and by looking at different variants of Bagle, Warezov, Stormy and others, compare their windows of vulnerability and changes between variants. After doing so, I will try to deduce what level of automation the bad guys have achieved already, what else they could do in the future, and conclude with drawing some trends in malware automation and offline polymorphism. This hopefully should help the AV vendors understand the importance of generic signatures and heuristics, as well as allow them to have good justification for spending extra time on those.