server-side polymorphism is a type of polymorphism where the polymorphic engine (the transformation function responsible for producing the malware's many forms) doesn't reside within the malware itself...
just as conventional polymorphism was constrained to housing the polymorphic engine within the virus its meant to operate on (because the code doing the copying has to have access to the transformation function), server-side polymorphism requires the polymorphic engine to be part of the system (generally a website) that serves (hands out) copies of the non-replicative malware it's used on instead of being in the malware itself...
this has proven to be very effective and very hard to counter from a conventional known-malware perspective... the reason is because with the polymorphic engine staying on the server instead of residing within the malware itself the transformation function can remain unknown to the malware analysts... although the analysts can try to perform black-box analysis of the transformation function, without knowing all the variables the function takes into account it's not possible to model the entire algorithm and predict all possible outputs... further, the transformation function can be arbitrarily complex, it could involve actually recompiling the malware with different parameters, or it might not even be an algorithm at all (someone might literally be manually changing the malware that the server is handing out)...
given this, it's not really possible in the general case for signature-based known-malware detection technology to reliably detect all instances of a piece of malware that employs server-side polymorphism but there are some facts that anti-malware vendors can use to their advantage... first, while signatures probably won't work, heuristics should be able to have some success against the various instances of such malware (assuming the polymorphism isn't too complex)... second, polymorphism has never been easy to develop and so the use (and sale) of kits may be helpful since the kits should contain the polymorphic engine and therefore give the analysts access to the transformation function... finally, there are detection and prevention technologies (behaviour-based detectors, whitelists, etc) that can often stop malware without needing to know what the malware looks like and vendors are increasingly including such technology in their suites...
back to index
0 comments:
Post a Comment