When virus authors use packers to obfuscate and encrypt their new worm or bot, they have two achievements in mind: alluding detection by antivirus products, and making it much harder for virus researchers and reverse engineers to unravel how their malware works, thus taking more time to create detection signatures in the first place.
Let me pose it this way: It's a hot summer day, and you're drinking a beer at the beach. People are having fun and relaxing. Suddenly, you see a person wearing an heavy coat. Is this suspicious?
Most likely that is not common behavior, and your answer is YES! Now, it does not necessarily mean that person is a terrorist, but it's not a bad idea to call the police.
In much the same way, if a gateway antivirus vendor collects and correlates information from clients (while filtering billions of email messages every day), "seeing" an executable email attachment that is "packed" arouses suspicion. This sample can be marked as suspicious and tested further.
For clarification, plenty of legitimate products use packers, so false positives will occur. On the desktop antivirus, this is not a great idea.
The goal of the smart attacker is to appear like a normal user, much like a spy would try and appear inconspicuous. Many attackers are not smart. Bots are far from common users in behavior.
Packers are a form of encryption. Encryption illustrates the preceding example. If you're a spy and want to send a message to your handlers using email, then would you use encryption?
Encryption is a great tool, but it also draws attention to you for using it. In your organization, how likely is an attacker to identify important resources just by watching for encrypted traffic? In some cases, it may be better to stay obscure, in the background as noise, than to use encryption. If the malware sample is new and therefore undetected by antivirus, then the same unfortunately applies to malware authors.
Encryption is, indeed, a great tool, but it is not a cure-all. It requires a risk analysis on your part -- much like any other solution.
Even if you decide encryption is an added value by default, there are other uses for the concept that it helped us illustrate. Ask yourself: What do attackers mostly look like? Do they have something in common you should be looking for?
This is often referred to as anomaly detection, only you can use it not just in deep packet inspection, but in daily operations -- much like looking for the guy wearing a heavy coat in the summer.
Knowing what your network looks like and what traffic is typical is the most basic and most critical in corporate network security.
Two random examples of possible anomalies:
- 1. Should Web servers be talking to each other in the server farm?