Symantec warns of aggressive surge in polymorphic malware

Symantec has revealed a huge jump in email-borne polymorphic malware as cyber criminals react to improvements in malware detection with a more aggressive push to circumvent traditional filters.

The July 2011 Symantec Intelligence Report, which now combines the firm's MessageLabs Intelligence Report and Symantec State of Spam & Phishing Report, identified one in 280.9 emails as malicious in July, a monthly increase of 0.01 per cent.

However, 23.7 per cent of all email-borne malware intercepted in July was polymorphic, more than double the figure six months ago.

This type of malware is typically harder for traditional filters to detect as it constantly changes its code. Symantec described the recently discovered activity as an "aggressively unstable or rapidly changing form of generic polymorphic malware".

Symantec found 1,057 different strains of this type of generic polymorphic malware between June and July, approximately 25 times more than in February 2011 when around 40 strains were identified.

A typical technique used to evade detection is to change the start-up code in each version of the malware, making it difficult for the emulators in many anti-virus engines to detect it, explained Symantec.

"This really is evidence of the continued arms race between malware writers and the anti-malware industry," Symantec senior software engineer Martin Lee told V3.

"Malware writers who fail to innovate are easy to detect, but those who continuously try to evade detection are more successful so they can reinvest in order to identify more ways to modify their malware and make it even more difficult to detect."

Lee added that anti-malware firms need to employ a large pool of researchers, analysts and engineers to avoid being left behind by the cyber criminals.

He argued that the latest ploy by the malware writers could be a result of improved automation toolkits, or an increase in polymorphic malware writing skills.

"Chief information officers need to take a good hard look at their anti-virus tools and take a layered approach, pulling as much out at the cloud layer as possible before it gets onto the network, and then ensuring they have one endpoint protection system for their machines," he said.

"Their anti-virus technology needs to use behavioural and heuristic analysis and cloud-based detection otherwise they will be left open to innovating [malware writers]."

Elsewhere in the report, Symantec spotted an increase in phishing attacks targeted at mobile phone users, which Lee said could be an indication that spammers are turning to other techniques to make money.