« Get rich from spam, now 100% legal and fair | Main | Google expired, suggests burritos for breakfast »
December 11, 2005
Microsoft's Dynamic Translation Technology
The first code emulators appeared in antivirus programs some 12 years ago, mainly for the purpose to deal with the increasing number of polymorphic viruses, which have been created in the first place to defeat simple signature-based scanners. If the memory serves me well, the products to first use emulation to detect and disinfect polymorphic viruses have been Frans Veldman's TBAV, DrSolomon's AntiVirus and Fridrik Skulason's F-PROT. While almost every serious antivirus program nowadays contains a code emulator, there have been few advances in this area during the past decade.
A notable development in this regard was presented at the Virus Bulletin 2005 Conference, by Adrian "Step" Stepan, from Microsoft.
The paper is available from Virus Bulletin's website, or even directly from MS:
Defeating_Polymorphism_White_Paper.pdf
The ideea is not new, actually, there are already some companies out there claiming similar implementations, available today, on the market, in their products. So, why all the fuzz?
As explained in the paper, Dynamic Translation (short, "DT") is an interesting way to speed-up antivirus products, but the application of this technology is however not limited to direct emulation of malware. A far better use is to generically unpack unknown compression / encryption schemes, greatly reducing the amount of work an AV company needs to put into producing dedicated unpacking code. Of course, there are AV companies out there who do not bother handling every packer which falls into their hands, but is true that there's also a small bunch of elite companies which do take apart any compression and encryption tool which happens to arrive in their labs.
Coupled with a good, generic detection engine, a technology like DT could allow an AV company to jump into the elite boat without any special efforts, even topping the detection charts displayed by institutions such as AV-Test.org or AV-Comparatives.
Of course, developing such a technology takes lots of resources, time and some of the best minds in the industry. And because Microsoft is not the only player in this arena, it will be quite interesting to see if the big fish goes out to eat the smaller, DT-enabled fish.
Posted by Costin Raiu at December 11, 2005 6:27 PM