Countering server-side polymorphism
At Sophos, we’ve used the analogy of genetics to become far more sophisticated in detecting SSP and other attacks. Sophos behavioral genotype technology identifies new malware by recognizing and extracting “genes” (or components of behavior). Using a finely tuned scoring system reflecting all the malware we’ve ever collected, we can identify combinations of genes (genotypes) that distinguish malware from legitimate code. We can compare this information with genes seen in known good files, minimizing false positives.
This gene-based approach is flexible and extensible. We can always add or modify genes reactively, or issue predictive genes to catch what the authors seem most likely to change next. We can also watch how they respond to detections by other security companies. Often, malware authors make changes which don’t immediately impact our detection. By proactively adjusting our genetic profile to reflect these changes, we can make it less likely that further changes will render the attack invisible to us.
For certain SSP malware, the back-and-forth between security vendors and malware authors has accelerated dramatically. For example, sophisticated malware authors are constantly attempting to determine which portions of their code are being detected. We’ve seen attackers modify and replace compromised code within hours. Of course, we’re also working non-stop to anticipate and respond.
< Back Next >