Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Devious nesting dolls

Read: 1755 Comments: 1 Rating: 43

Wednesday, August 3, 2016

It’s no secret that criminals need Trojans that are “invisible” to anti-viruses. Constantly having to come up with some new disguise to escape the all-seeing eye of an anti-virus—is not only unprofitable, but also slows the industrial workflow related to developing and releasing malware. Anti-virus companies are quick to add the definitions of new Trojans into their virus databases, which is why cybercriminals have to endlessly keep writing programs that cannot be detected by anti-viruses.

How profitable the cybercriminal business is always equates to the difference between the value of what can be stolen, and how much money (money that goes into developing and distributing malicious programs) needs to be spent on stealing it.

It’s expensive and difficult to develop new Trojans.

That’s why so few people are involved in this—many criminals just purchase ready-made, tested programs on underground virus writer forums. That’s how everyday criminals solve the troublesome task of reducing the cost of developing Trojans that cannot be detected by anti-viruses.

The cheapest solution for intruders is to take previously written malware that anti-virus software can recognise and place it into an archive, sometimes in several archives (the nesting doll principle) in an unknown format (i.e., repack them) or they encrypt it.

Most anti-viruses have to respond to each repacking with a new virus database entry. Because of this, thousands of entries for modifications of the same threat are multiplied. They differ only by the packer. Creating an “invisible” Trojan for a client that uses an anti-virus is not costly because intruders can encrypt and repack the same malicious program at least a hundred times a day.

What in practice threatens such an approach to security? It turns out that until the next database update is carried out—which could be 1-2 hours, but is often far longer—the user’s system remains unprotected against what is alleged to be the newest threat, but in fact is a threat that has long been known to exist.

Dr.Web operates in a different way. Dr.Web FLY-CODE technology allows you to detect known malicious files in archives that have been encrypted and packed in a special way— no matter how hard virus writers try to bypass Dr.Web’s protection by repeatedly repacking and encrypting their malicious files. It’s expensive and unprofitable for cybercriminals to do battle with Dr.Web! And that means our users are much less likely to be targets of attack.


The Anti-virus Times recommends

Many of the technologies in Dr.Web operate invisibly. They don’t attract attention, don’t ask questions, and don’t even require fine-tuning. But that doesn’t mean that they don’t exist!

  • Dr.Web FLY-CODE is a unique universal unpacking technology that facilitates the detection of viruses that have been packed with packers that even Dr.Web cannot recognise.
  • The comprehensive analysis of packed threats significantly improves the detection of supposedly “new” malicious programs that were known to the Dr.Web virus database before they were concealed by new packers. Such an analysis also eliminates the need to add redundant definitions for new threats into the virus database.

So, the main recommendation is to use Dr.Web ☺


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.