Problem solve Get help with specific problems with your technologies, process and projects.

Polymorphic malware attacks and in-line scanning

The number of malware threats is increasing exponentially, and polymorphic viruses are difficult to detect with traditional virus-scanning tools. Security consultants and value-added resellers (VARs) should know what techniques to use to protect their customers' networks.

The number of malware threats (viruses, worms and Trojan horses) is increasing exponentially. In addition, the financial loss associated with these exploits has been increasing, largely because the malware authors are becoming more focused on specific financial targets. Malware writers are finding lucrative employment in writing targeted code that lasts longer in the wild, is harder to detect, and uses newly developed "X-morphic" engines that make the exploits truly polymorphic.

Since many new variations of polymorphic viruses and other malware have the ability to change themselves each time they replicate, they are difficult to detect with antivirus software programs designed to recognize viruses based on their specific signatures.

Like a polymorphic virus, mutating malware can change appearance in host programs by encrypting its body with a different key each time, while other malware designers use "packers" to encrypt malware to evade detection. Swizzor is an example of a Trojan Horse that repacked itself once a minute to get past signature-based tools, and also recompiled itself once every hour.

Swizzor is a malicious and extremely difficult to remove adware program that is a variant of the Lop parasite. Swizzor malware uses random filenames and registry key names to prevent detection and removal. When running on a computer, this parasite will attempt to connect to,,, and other questionable sites. It will also generate a large number of popup adverts.

Therefore, in an effort to keep in front of zero-day threats and identify more types of malware, vendors have been developing products that extend beyond the original signature-based scanning model and include anomaly detection, heuristic scanning, behavior-blocking and in-line scanning techniques. Though this has been effective, it also puts pressure on the customer to implement multilayered scanning techniques and make frequent large investments in antivirus products.

An in-line scanner is a fairly new type of malware scanner that monitors incoming and outgoing email protocol traffic -- such as SMTP, POP3 and IMAP -- and can also examine HTTP and FTP traffic passing on the customer's network. It is usually built into the firewall and can be a valuable addition to both server and desktop-based anti-malware implementations.

However, in-line scanning presents several issues. Often the scanning is relegated to well-known ports, like HTTP on TCP port 80, so it may miss malware using unique port numbers. On the other hand, if the in-line scanner was configured to scan all possible ports, it would likely slow the network considerably and make the process impractical for many network environments. Another drawback to in-line scanning is that it scans only the data transmitted on the wire, and doesn't scan the desktop, so it can miss SSL-encrypted packets and other email attachment formats.

While these and other issues are still being addressed by antimalware vendors, the best solution for your customer is usually a combination of techniques and products, using both in-line scanning and signature recognition tools combined with a rapid response policy.

Remember, the bad guys are coming at you from many directions, and it's just not good business practice to rely solely on one type of protection.


About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is
The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.