"Kaspersky Labs' patented recognition technology packed and encrypted malware
"Kaspersky Lab" has received a patent for a system that helps detect malware, modified by c not seen before or packers shifrovschikov. The technology is already integrated into the core of security solutions for home and business users. Packers and shifrovschiki (which can be considered as a special case packers) create a container file, which is placed in the original version of the malware and it needed to decompress or decrypt the code. Attackers use these tools to modify malware in order to impede his search for security solutions. Such modification can change the binary form of the program, which is one of the ways to bypass the signature verification.
Even if the anti-virus database contains the signature of the initial sample of malware, then use it to not be able to detect a compressed version of the program. On the other hand, programs that have changed popular wrappers can be detected using heuristic rules. But if an attacker will create its own wrapper with a unique algorithm, the detection of a threat would be much more difficult. patented technology is a method of analysis, in which each new wrapper, a special profile - a general description of its behavior. Using this profile, then lets you detect malicious program using a modified packer, for transactions which it produces after launch. In practice, the technology works as follows: first anti-virus solution, guided by its own set of rules determines that a suspicious file, got to his analysis, can be modified by a previously unknown packer, and then turns to the patented "Kaspersky Lab" technology.
She, in turn, triggers each file in the emulator and logs all actions performed by the code responsible for decoding and running malicious software. These operations are machine-sorted and analyzed to identify patterns that describe the behavior of the packer. At the final stage on the basis of the data profile is created, which will then be possible to successfully detect other files modified by this wrapper. "Previously, the behavior of the Packers for the most part remained hidden for analysis, and our technology makes possible a full scan objects and, as a consequence, increases the level of protection of the user.
In addition, the technology allows us to describe the behavior of an unknown packer in a form that is suitable for use in a protective solution and at the same time, the analyst will understand, "- says Maxim Golovkin, the expert" Kaspersky Lab "on the malware and the author of the patented technology. Patented already working in such products "Kaspersky Lab" as Kaspersky Internet Security for all devices and Kaspersky Security for business. Patent number 8,555,392, confirming the novelty of technology, issued by the Registrar of Patents and Trademark United States.
.jpg)
