An Old Trojan in New Clothing - The Cat-and-Mouse Game

(Page 5 of 5 )

This reminded me of something that Phil explained to me about how some anti-virus software works when it encounters a threat for which it doesn't have the signature. It looks for suspicious behavior – i.e. something trying to download itself onto your computer without asking your permission first, or making changes to the sensitive settings of your computer (i.e. the registry). Haley explained that this is exactly how their “sonar” works. One of the challenges, of course, is making sure that the good software is allowed to function properly, while the bad stuff is trapped.

Malicious hackers try to bypass these techniques of trapping them in a way that keeps your computer from realizing it's being duped; think of it as a digital way of “acting natural.” In response, anti-virus writers make their software more sensitive to suspicious behavior, and in response, hackers try to bypass the new protection, and the cycle continues.

“The bad guys are constantly creating variants...specifically written to evade detection,” said Haley. His company sees it daily, and updates accordingly. “We'll always play the cat-and-mouse...but we're also using new technologies as well, less susceptible to these variants.”

So how does Symantec keep up-to-date on the latest threats? Many get sent in by customers, of course, but the company has a Global Intelligence Network (GIN) – research facilities at 11 different locations around the world. While these facilities respond to 200,000 submissions from customers every day, Symantec also has “honey pots” and “honey networks” set up around the world, and sensors on machines that let them monitor activity and detect threats more directly.

How does Symantec analyze all of these threats and decide how to respond? Much of the analysis and signature creation is automated, because they couldn't keep on top of it otherwise. For more complex cases, the company maintains about 200 human analysts. Some of their criteria for determining whether a particular piece of malware is a threat, and how bad of a threat, include how prevalent it is, whether Symantec's customers are seeing it, and how much damage it does.

So be careful when you web surf. Keep your security software up to date, and make sure it uses more than one technique to protect your computer. If you see professional-looking software you've never heard of, be more than a little suspicious, especially if it's supposedly designed to protect your computer. And if your system reboots itself for no apparent reason, you'd better do some research; you just might have a virus on your hands. Remember, it's a jungle out there.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: An Old Trojan in New Clothing

· I hope this article helps to keep some of you from getting infected, or at least...    · My anti-virus program didn't pick up on these files, but thanks to the suspicious...    · You're welcome! Glad I could help.   >>> Post your comment now!