Posted 20 May 2004 - 01:07 AM
I agree with SlippyG that is quite easy to make malware undetected.
However, I doubt that it makes sense to strictly distinguish between undetected and undectable malware with regard to non-replicating samples. For example, it does not make a huge difference whether you protect a trojan with Armadillo and thereby make it undetected, or create your own - potentially - undetectable crypter using the NOP method mentioned by SlippyG: initially, both trojans will not be catched by an AV scanner. But both trojans WILL be catched by an AV scanner if they are widely spread. The AV software producer will simply add a signature for the compressed variant (there is no need to decompress the trojan at all).
The NOP method may make some "sense" with respect to replicating malware (e.g., worms). A polymorphic encryption engine with a hard-to-catch unpacking stub generating differently encrypted worm generations after each replication phase may cause a problem. However, there are still memory scanners which are not affected by any file encryption tricks. Of course, you can try to also fool the mem scanners by using the block-fetch method (like some commercial protectors already do). But will it really prevent replicating malware from being detected? I do not think so (see below).
It seems to me that the future of malware detection lies with behaviour-based detection mechanisms. In principle, many types of malware can be detected without any signature scanning at all. Let me provide you with a few examples:
Irrespective of its encryption, a standard trojan can be easily detected since it does three things which are suspicious: it opens a port and listens, it hides itself from the windows task bar and it creates an autostart entry in the registry. A heuristic scanner (like the forthcoming A2) should easily identify this behaviour since there are almost no legit applications which show the same suspicious behaviour.
User-mode rootkits and DLL trojans can be easily detected because they use the suspicious CreateRemoteThread function. Moreover, such malware will be "disabled" by a system firewall like Process Guard, System Safety Monitor or Tiny Personal Firewall.
Kernel-mode rootkits (like Hacker Defender) which install a service will also be blocked or detected by a system firewall or a behaviour based AV/AT system.
Any registry cloaking tricks are suspicious and can be easily detected with the help of a generic registry viewer like RegdatXP.
In summary, I believe the more strange/suspicious/abnormal things you do the easier it will be to detect your malware. But people still try to create such abnormalities like video-ram rootkits etc. Malware which is really undetectable will not do any suspicous things at all. It will look like a legit application and it will infect people with the help of social engineering. Example: Earthstation 5 ;-)
