Skip to main content

Modern Malware is Good at Hiding, Researchers Say

LAS VEGAS — A security researcher identifies a program that might be malware. Like a police officer interrogating a suspect, the researcher starts to analyze the program, looking for evidence of malicious activity. But like a tight-lipped suspect, malware is getting better at resisting interrogation.

At the Black Hat security conference in Las Vegas, Nevada (August 6), Intel researchers Rodrigo Branco and Gabriel Negreira Barbosa presented their analysis of 12 million malware samples, showing that malware is getting better at making life harder for the people trying to detect and fight it.

MORE: 7 Scariest Security Threats Headed Your Way

In their talk, an update to their 2012 report on the same subject, Branco and Barbosa ran through several techniques found in modern malware that are designed to resist researcher analysis.  

For example, some malware samples exhibited increased ability to detect whether they were being run on a virtual machine (VM). Often, researchers let malware run on an isolated area called a virtual machine, where the malware can't do any real damage, and researchers can safely observe their behavior. Malware samples equipped with Anti-VM techniques can tell if they're being run on a virtual machine, and if so, will simply refuse to run.

Virtual machines aren't the only researcher tools that malware is targeting. Branco and Barbosa also found an increase in malware with anti-disassembly and anti-debugger features as well. A disassembly tool lets researchers view the malware's code, and a debugger is a tool researchers can use to help understand what a specific line of code in a piece of malware does.

Both are also essential weapons in a malware researcher's arsenal. But malware is getting better at making it hard for researchers to deploy these tools.

Ironically, techniques that malware uses to hide itself can be used to identify malware in the first place. Branco and Barbosa have developed an anti-malware approach that involves searching for these evasion techniques in the first place.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.