Our new emulator technology: real crafty malware’s worst nightmare.

[harlan4096]

Have you ever wondered why computer viruses are called just that – ‘viruses’? Well, actually, today the word viruses is used somewhat misleadingly to refer to most ‘any type of malicious program, or is used to describe any bad thing that a program does to a computer’. I took that from our encyclopedia, btw.

However (still from our encyclopedia), ‘strictly speaking … a virus is defined as program code that replicates‘ and spreads – much like a biological virus like, say, a flu virus does.

The strange thing is – viruses defined as such all but disappeared umpteen years ago out in the wild. These days it’s all about malicious programs that don’t so much replicate as have really nasty functionality that might steal data from a computer or totally wipe that data: for example, a Trojan. Yet still to this day, if you ask someone to put ‘computer security technologies’ into images, most often those images will show things like scientists in lab coats hazmats conducting quarantine shut-downs, test tubes in hand – though those are only needed when dealing with biological viruses.

So, you get it: computer viruses have died out. But the methods of analysis that were used for their detection and disinfection (eek: one more faux-import from the microbiology world!) remained, kept developing, and are still to this day helping tremendously in the fight against modern-day viruses malware. One such ‘old school’ technology is the emulator.

Briefly, emulation is a method for uncovering previously unknown threats, whereby a file that’s acting suspiciously (unusually, atypically) is launched in a virtual environment (’emulated’ environment) that imitates a real computer. Once there, the antivirus* observes the behavior of the file (on the fly; more on this later on) and if it finds any dangerous activity, it isolates it for further investigation.

Can you see the analogy with microbiological virology? Why inject a patient who may have a certain disease with a potent antidote with lots of side effects, when the patient may not have it at all? Better to emulate it in vitro and see what’s really afoot first; then administer the appropriate medicine.

The main challenge though is the same as in microbiology: it’s crucial to make the emulated environment resemble a real one as closely as possible. Otherwise malicious files might realize it’s a set-up and act all innocent as a consequence. Well we’ve been doing emulation for several years decades now, so – without any undue false modesty – we really are way ahead of the competition on this. We got this!

Continue Reading