The Art of War and Malware Immunity

Eduardo Altares , Sr. Threat Analysis Engineer , Symantec

Jason Pantig , Sr. Threat Analysis Engineer ,  Symantec

The classic military treatise “The Art of War” tells us that if we know our enemy and we know ourselves, we will not be imperiled in a hundred battles. We have heard its principles applied in the context of online security before. In the digital world, it is just as important to know our enemies—the enemies being malware.

Sun Tzu also tells us it is important to outthink the enemy than to outfight him. Part of knowing our enemy would involve malware analysis or reverse engineering, which could reveal to us the enemy’s weakness so we could make ourselves immune. The concept of malware immunity is not new; it is a form of hardening to make malware attacks benign—the malware will kill itself on its own.

This paper will revisit the idea of malware immunity and enumerate primitive yet effective immunity objects, such as adding malicious domains on the local hosts file and keeping USB drives worm-free by putting an Autorun.inf folder on it.

We will show how infection markers were used by malware to prevent reinfection, and how its application as file infection marker and into system infection marker. We will discuss system conditions that would render the malware unsuitable to deploy its payload. We will show several ways a piece of malware checks whether it is running in a targeted country and then terminates if it does. We will list the Anti-virtual machine (VM) techniques and how these could be used to prevent malware from running on computers.

Moreover, we will tackle ransomware and present other kill switches that we found for some known families like Cerber, Locky, Sage, and Spora, and then share a simple trick that could be useful against most ransomware not infecting Russia. We will also show how malware fight back knowing infection markers are used against them. Finally, we will discuss how users can make their computers immune to some threats and other future applications.

Eduardo AltaresEduardo joined Symantec in 2015 with ten years of experience in reversing malware who previously worked for Trend Micro and has sporadic appearances in AVAR. He now focuses on researching botnets and learning the whole malware infection chain and creating protection where applicable. If not facing his work computer, he likes to travel, backpacking, playing with dogs and reading books.
Jason PantigA Senior Malware Researcher with Symantec. Previously work at Trendmicro Inc. as Antivirus Engineer with 12 years’ experience in reverse engineering applications and managing computer and network security.On spare time, I enjoy playing online games, basketball, repainting/customizing and taking pictures of my action figure collections, photography and hanging out with friends.