Perfect Hide Out Spot: Attackers Now Hijacking Compilers

By Matthew Hines  |  Posted 2010-02-22 Print this article Print

Malware authors and distributors have been perfecting methods to hide the nature of their work for over a decade now, creating endless varieties of Trojans, backdoors and downloaders that appear to be one kind of program (think rogue AV), but of course turn out to be something far more ominous.

New evidence suggests, however, that cutting-edge malware creators are increasingly taking their obfuscation techniques to another level and manipulating program compiler runtime stubs, a method that essentially allows them to "hide in plain sight" by merely using attack delivery mechanisms that people and AV systems have not yet been programmed to look for.

Many popular attack obfuscation techniques have grown so widespread that they have in fact become practical to discover, contend researchers with SophosLabs. That's why the experts believe that they're seeing more threats being created that employ the compiler hijacking approach.

"Obfuscation is typically easy to spot (especially when the authors try very hard to make it difficult to analyze) and it is the likely reason why 'in plain sight' techniques are starting to make an appearance," said SophosLabs AU researcher Pete in a recent blog post.

One variation on the tactic that the researchers have observed coming into its own of late is for such attacks to divert a call to a program's constructor or initialization routine within a compiler-emitted stub and then point it at malicious code.

Since most AV programs and security analysts haven't typically been trained to look at compiler generated stubs, they'll likely never see the attack being played out, SophosLab experts submit.

The researchers ruminate that the move by some threatsters to adopt such new techniques is either a desperate ploy to circumvent the AV industry as it finds smarter ways to catch more traditional forms of malware, or perhaps a true sign of malware design evolution. It would seem likely that it is either and or both.

For, it seems likely with all of the money being generated by malware attacks, security is now a chess game, an arms race or whatever you want to call it. The attackers will keep looking for new ways to deliver their work as long as they've got computers and access to the Internet.

So, we should know now to expect more of this innovation aimed squarely at keeping the lights on across the world of cyber-crime. It's inevitable, in fact.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel