Parasitic malware: The resurgence of an old threat

Abstract

2007 marked the resurgence of parasitic malware, an old technique whereby malware is added to existing files on a system. Since then, blackhats have adapted this method, creating increasingly sophisticated viruses that continue to test the security industry. Simon Heron of Network Box explores the impetus for this revival. He examines in detail what has made hackers revert to such an old technique; how hackers are adding new elements to their code, why they target certain files, and how this malware propagates. With the trend for parasitic malware set to continue in 2008, he discusses what anti-malware vendors are doing to counter this burgeoning threat. In late 2006, an old technique became popular again with the blackhats. They resurrected parasitic malware, a technique whereby malware is added to existing files on a system. This concept has been around since the eighties. One of the earliest viruses, Jerusalem, used parasitic techniques, for example. It infected any .EXE file that it could find, appending its own code to the file so that it could be run and deliver its payload. In 1989, the Datacrime virus infected one .EXE file and one .COM file each time it was run. The era of macro viruses, email worms and other forms of delivery may have seen this technique die off for a while, but after re-emerging in 2006, this form of malware flourished. McAfee Avert Labs identified 150 new variants of parasitic malware, Philis and Fujacks. New viruses using this technique were also discovered - such as Grum-A - and it seems that this technique has made a comeback. While this form of malware only accounts for around 10% of all malware, it is the sophistication of these viruses that makes them worthy of closer examination.