Anti-virus arms race spurs jump in polymorphic malware

With one in 280.9 emails identified as malicious in July, the rise in polymorphic malware accounted for 23.7% of all email-borne malware intercepted by Symantec. This was more than double the same figure six months ago, indicating a much more aggressive strategy on the part of cybercriminals, according to Symantec's  July 2011 Intelligence Report.

“Polymorphic malware is a way for malware writers to write their malware so that each particular malware is different from the last. So, although the malicious code does the same thing – infect your computer – each program that the malware writer is producing is acting in a slightly different way”, explained Lee, senior software engineer at

“It becomes quite difficult to do the malware analysis and to find out what the malicious program is actually doing because they are doing slightly different things each time. They are also putting in techniques to hide what it is that they are doing….This is solely to get around the anti-virus defenses that are out there at the moment”, Lee told Infosecurity.

Lee said that this could be a sign that anti-virus software is causing “pain” for malware writers so they are forced to develop complex techniques to evade the software. “This is evidence of the ongoing arms race between anti-virus researchers and malware writers”, he observed.

The Symantec report also found a large malware attack using URL shortening services in July. The attack abused at least five different URL shortening sites. An email message said it was from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was cancelled, recipients were encouraged to click on a link supposedly pointing to a PDF file, but actually pointing to a shortened URL. This shortened URL then redirected to a site with several drive-by exploits.

“URL shortening services are a good way for spammers to hide the nature of what it is they are trying to get to the end user”, Lee observed. “This month we saw malware writers doing a similar thing….It makes it slightly harder to detect what is going on, and it makes it difficult for researchers to do the frequency analysis to identify bad domains because they are hiding them through the URL shortening services”, he added.

In July 2011, the global ratio of spam in email traffic rose to 77.8% (one in 1.29 emails), an increase of 4.9% when compared with the previous month.

“July 2010 saw the high-water mark of spam emails. There has been a steady and rather dramatic decline since then....My guess is that we are probably scraping the bottom of the barrel in terms of the amount of spam in circulation….What we will probably see for the rest of the year is the spam rate staying at 75%”, he said.

Also, phishing email activity increased by 0.01 percentage points in July compared with June; one in 319.3 emails (0.313 percent) comprised some form of phishing attack. In addition, the report found that the UK became the most targeted geography for phishing emails in July, with one in 127.9 emails identified as phishing attacks by Symantec.

The global ratio of email-borne viruses in email traffic was one in 280.9 emails (0.333 percent) in July, an increase of 0.01 percentage points since June 2011.

Also, Symantec Intelligence identified an average of 6,797 websites each day harboring malware and other potentially unwanted programs, including spyware and adware – an increase of 25.5% since June 2011.

What’s hot on Infosecurity Magazine?