Prominent security research and products company Kaspersky Lab has been awarded a fresh patent on a technology which will reveal malicious files trying to hide themselves with different re-packing methods.
Kaspersky Labs has given the example of the Adobe Flash Player exploit, where malicious files dodge detection by security products by re-packing malicious files or embedding “trash” instructions into them.
In some cases, the exploits were re-packed for each different user, meaning every victim would be hit with a unique malicious file.
As a result, the process of detection by traditional methods (such as signature or heuristics analysis) suffered immensely. The patented technology was developed to make detection of such malware easier.
At this stage, the patented technology only aims at the detection of malicious files created by .NET and ActionScript frameworks.
Alexander Liskin, Heuristic Detection Group Manager at Kaspersky Lab, a co-author of this technology said: “This kind of hash-sum referring not only to a certain file but group of files is very useful, because it can be easily integrated into automatic detection systems and allows detection of numerous objects with a single record. In the long term, such hash-sums can be created for other types of malicious files that use virtual stack machines.”
Anton Ivanov, Senior Malware Analyst at Kaspersky Lab, a co-author of this technology, said: “It is worth mentioning that applying these hash-sums has achieved great results in the field of detection of SWF exploits, which are the most popular type at the moment. Due to the implementation of such a technology service for SWF exploits, auto-detecting has also been put into operation.”
