Hackers' Latest Attack: Malware In Disguise

March 5, 2007
HckPk code masking worms to get through corporate network security vetting processes

Virus writers have been pummeling corporate networks and consumers with their latest trick -- malware that wraps itself in a variety of masks to evade detection by antivirus programs.

"It's a new way to disguise their malicious code," says Graham Cluley, a senior technology consultant with antivirus software firm Sophos. "They've got their regular piece of ammunition to fire at you, but they put a new coat of paint over it to disguise it. We saw thousands of new versions of the Dref and Dorf malware. It was the same malware with different disguises."

Various malware authors are using HckPk, malicious code that's circulating in the Wild. Hackers can take the HckPk code and add it to their worms, which is akin to slipping a mask over someone's face. Cluley says HckPk is spreading in hacker communities so various virus writers, such as the authors of Dref and Dorf, can use different versions of the same masking coding.

"It's letting virus writers repackage their pieces of malware," says Cluley. "And they keep on changing HckPk so the disguise keeps being altered slightly, making it harder to distinguish."

Sophos analysts calculate that HckPk accounted for more than half of all malware seen during February. Cluley says between the Dref and Dorf worms, they've seen about 6,000 variations or disguises of them in the past month alone. When the well-known Storm worm hit the Wild, Cluley says it morphed about 1,500 times in its first weekend.

"It's been remarkably successful. It's all about security companies becoming much more proactive in defending against these threats," he adds. "The virus writers have grown up. They've become professional. It's calling for much, much more work."

On top of the disguises, HckPk has another trick up its sleeve. It also contains an encryption module so when a virus writer basically slips it on his piece of malware, HckPk hides the malicious part of the code from the antivirus programs that are scanning for it.

"It not only puts a disguise on these things, but it turns the code into gobbledygook," says Cluley. "We have to unravel it before we do anything else."

Sophos analysts say HckPk first appeared late last year, but they didn't recognize it as a masking program until February. They just thought they were seeing different versions of the same worm.

Because of its unique capabilities and its prevalence in the Wild, HckPk leads Sophos' Top 10 Malware List for February. HckPk accounted for 50.3% of all malware reported. Netsky, which came out in March 2004, still is widely circulating. Sophos puts it in its No. 2 spot with 15.1% of all reports. Mytob, another oldie, comes in third with 12.5%.

Here's how the rest of the Top 10 stack up: Zafi is fourth with 4.8%; Sality is fifth with 3.8%; MyDoom is sixth with 3.0%; Bagle is seventh with 2.4%; Clagger is eighth with 1.4%; Nyxem is ninth with 1.1%; and StraDl is in 10th place with 1.0%.

Sophos analysts also calculated that one in 256 e-mails was infected with malware in February. They also identified 7,757 new threats during the month. That's compared to 7,272 in January, and 1,132 in February 2006.