Ice_Czar
March 2nd, 2007, 04:00 PM
It appears that for the better part of three months some malware authors have been employing a modular bit of code as an add on to their baseline exploit package in order to disguise its signature. Originally taken as unique variants its now recognized as a masking program added to a static exploit. It appears the Storm worm employed it to transmorph 1,500 times in the first weekend, while the Dref and Dorf worms have approx 6,000 signature variants within a period of a month.
http://www.itnews.com.au/newsstory.aspx?CIaNID=46701&src=site-marq
-{ Quote: "On top of the disguises, HckPk has another trick up its sleeve. It also contains an encryption module so when a virus writer basically slips it on his piece of malware, HckPk hides the malicious part of the code from the antivirus programs that are scanning for it.
"It not only puts a disguise on these things, but it turns the code into gobbledygook," says Cluley. "We have to unravel it before we do anything else."
Because of its unique capabilities and its prevalence in the Wild, HckPk leads Sophos' Top 10 Malware List for February. " }-
http://www.itnews.com.au/newsstory.aspx?CIaNID=46701&src=site-marq
-{ Quote: "On top of the disguises, HckPk has another trick up its sleeve. It also contains an encryption module so when a virus writer basically slips it on his piece of malware, HckPk hides the malicious part of the code from the antivirus programs that are scanning for it.
"It not only puts a disguise on these things, but it turns the code into gobbledygook," says Cluley. "We have to unravel it before we do anything else."
Because of its unique capabilities and its prevalence in the Wild, HckPk leads Sophos' Top 10 Malware List for February. " }-