Tuesday, 23 August 2011

More on Polymorphic File Infecters

I was sat thinking this evening about this new infection Kaspersky picked up a few days, and it amazes me as to why more malware writers haven't (yet) adapted this technique of infecting many of a computers system files.

I mean across the forums that I help on, we do see the likes of Virut, Sality and Rammnit but it's only the minority for now and it's a constant fight between the good guys and the bad guys.

Truely if the bad guys were bent on winning in the sense of creating malware that can't be beat, they would of adapted to infecting system files. Sure they've already managed this in the likes of TDL3 where it infects a random .sys driver file but it can be disinfected and repaired. Now with TDL4 they've gone as far as hiding in ring0 with the MBR infections.

I'm really just amazed why we aren't yet seeing TDL4 come with an explosive bomb attached to its chest and start infecting system files - it can be done and it's the one kind of infection that cant be stopped as the damage is just too great.

Sure we know the only way out of an infection like this is a quick drop everything and format situation, so I wonder if the bad guys want us to fight their malware instead of going down the path of destruction method, I mean their malware longs longer when we fight it right? rather than formatting, and they can constantly update to stop our tools from killing the infection.

Ah well, it was just a topic I was sat wondering about, who knows if we'll see more file infecters in the future.

No comments:

Post a Comment