Malware authors are sometimes talented, sophisticated software developers who understand the methods that security professionals use to detect and prevent malware attacks. This leads them to develop advanced techniques that allow them to escape detection and bypass traditional anti-malware defenses. In this video, Mike Chapple explains three advanced malware concepts: rootkits, polymorphism, and armored viruses.
- [Instructor] Malware authors are sometimes talented, sophisticated software developers who understand the methods that security professionals use to to detect and prevent malware attacks. This leads them to develop advanced techniques that allow them to escape detection and bypass traditional anti-malware defenses. Let's talk about three advanced malware concepts. Rootkits, polymorphism, and armored viruses. The root account is a special superuser account on a system that provides unrestricted access to system resources.
It's normally reserved for system administrators, but it's also the ultimate goal of many hackers. Rootkits are a type of malware that originally were designed for privilege escalation. A hacker would gain access to a normal user account on a system, and then use the rootkit to gain root, or escalate the normal user access to unrestricted superuser access. The term "rootkit" has changed over the years, however. It is now used to describe software techniques designed to hide other software on a system.
Rootkits deliver a variety of payloads. These include backdoors, botnet agents, and adware or spyware. They're also not always malicious in design. Some rootkits are designed, for example, as antitheft mechanisms for copyrighted content. Computer systems use a ring protection model to describe the type of access that different programs may have to system resources. Most programs run in a less privileged user mode, while the operating system itself uses a very highly privileged kernel mode.
Rootkits can run in either user mode or kernel mode. User mode rootkits run with normal user privileges. They are fairly easy to write, and difficult to detect. Kernel mode rootkits, on the other hand, get the keys to the kingdom, because they run with very advanced privileges. The trade-off to these privileges, however, is that they are difficult to write and easy to detect. The second advanced malware technique we'll cover is polymorphism. Most anti-malware software uses a technique known as signature detection.
It recognizes viruses by maintaining a database of known virus patterns, and then comparing suspect files to that database. Anti-malware vendors must frequently update the database, and viruses are detected only when they match an existing signature. Polymorphic viruses fight signature detection by changing themselves constantly. Because of this, the virus files don't look the same from one system to another. The signatures don't match, so signature detection doesn't work.
Polymorphic viruses often work by using encryption. They encrypt themselves using a different key on each system they infect, making the files look completely different. The virus loader then has the decryption key necessary to retrieve the original virus code. The final advanced malware topic we'll discuss is armored viruses. When viruses use polymorphism, antivirus researchers have to pick them apart to retrofit anti-malware software to detect them properly.
The key way they do this is using a technique known as reverse engineering. In reverse engineering, the programmer reaches down deep into the virus to analyze the machine language, or assembly code that makes up the virus's DNA. Armored viruses implement techniques designed to defeat reverse engineering. These include writing the virus in obfuscated assembly language that hides the true intent of the code, blocking the use of system debuggers, and preventing a technique known as sandboxing that can isolate the virus.
In this video, you've learned about three advanced techniques malware authors use to defeat detection and prevention mechanisms. Rootkits hide other software installed on the system for malicious reasons. Polymorphic viruses change themselves often to avoid detection by antivirus software. Armored viruses use sophisticated techniques to hide themselves from virus detection mechanisms. Security plus professionals should be familiar with these techniques as they prepare for the exam, but rest assured that modern antivirus software protects against each of them.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities