Patents technology which allows the security solutions to reveal malicious files trying to hide themselves with different re-packing methods
Kaspersky Lab has just received a technology patent entitled “System and Method for Detecting Harmful Files Executable on a Virtual Stack Machine”. The new technology, included in Kaspersky Internet Security and Kaspersky Total Security products, allows the security solutions to reveal malicious files trying to hide themselves with different re-packing methods.
Last year, the number of Adobe Flash Player exploits significantly increased. Malicious files created for this platform can be hidden from detection by security products, for example, by re-packing malicious files or embedding “trash” instructions into them. In some cases, the exploit is re-packed for each different user meaning each victim is hit with a unique malicious file. As a result, the process of detection by traditional methods (such as signature or heuristics analysis) is hampered. The patented technology was developed to make detection of such malware easier.
Kaspersky Lab’s experts created a universal hash-sum representing a check-sum which is calculated based on the byte-code of the analyzed malicious files, detecting the whole group of malicious files at once. This approach allows malicious files to be detected, regardless of the way used to protect the analyzed file from being detected by the security product. At this stage, the patented technology is aimed at the detection of malicious files created by .NET and ActionScript frameworks.
Alexander Liskin, Heuristic Detection Group Manager at Kaspersky Lab, a co-author of this technology says: “This kind of hash-sum referring not only to a certain file but group of files is very useful, because it can be easily integrated into automatic detection systems and allows detection of numerous objects with a single record. In the long term, such hash-sums can be created for other types of malicious files that use virtual stack machines”.
Anton Ivanov, Senior Malware Analyst at Kaspersky Lab, a co-author of this technology, adds: “It is worth mentioning that applying these hash-sums has achieved great results in the field of detection of SWF exploits, which are the most popular type at the moment. Due to the implementation of such a technology service for SWF exploits, auto-detecting has also been put into operation.”
