Norton 2010 to tackle polymorphism

By Stephen Withers
Monday, 03 August 2009 06:54

Technology

The 2010 versions of Symantec's Norton consumer security products have been designed to tackle a technique that's been used to get malware onto large numbers of computers.

A piece of malware known as Clampi or Clomp (among other names) is doing the rounds at present. As many as one million Windows-based PCs are thought to be infected.

This should be particularly worrying for users as it grabs credentials for online banks and other money-related sites such as casinos.

One of the sneaky things about Clampi is that it ensures that identical files aren't delivered to all computers. According to PC Tools' ThreatFire Research team, three-quarters of all Clampi executables are unique.

Such polymorphism makes it difficult to perform signature-based detection of Clampi. It can sometimes be spotted indirectly by recognising the packer used in any particular example, and behavioural detection can also be successful.

For example, Sophos detects the way Clampi injects code into Internet Explorer, and recognises the PsExec utility (installed by Clampi, but which also has legitimate uses) as a potentially unwanted application.

But a feature that's new to the forthcoming Norton 2010 products should be able to stop such polymorphic attacks before the code is installed.

Symantec is introducing reputation to the fight against malware. The basic idea is that if you are one of the first few people among the company's millions of users to run a particular application, then unless you are a software developer there's a good chance that it is polymorphic malware. So when Norton 2010 sees a very rarely detected application trying to run, it will suggest that at the very least you delay the operation until more information is available.