Symantec Maximum Repair (SMR) is a brand new security engine that drives our new Norton Power Eraser recovery tool. It combines aggressive heuristics and advanced removal capabilities to combat the newest and toughest threats. I thought I would share with you some of the background on why we developed this new engine.

Why the need?

The threat landscape has radically changed over the last few years and that has driven the need for new approaches to protection. Most notable are the following trends:

• A new micro distribution model for malicious threats. A couple of years ago, the norm was to see relatively few threat variants distributed to millions of users.  Today, hackers have moved to a micro-distribution model where millions of variants are created and distributed far and wide to very small numbers of victims. In fact it is not unusual today for most victims to get an infection that is unique to their machine.  Last year alone, Symantec identified 240 million new threat variants but less than 200 actual new threat families.  Hackers are generating these variants in high volume by taking pre-existing threats and packing or encrypting them by using packer kits and custom encryptors, sometimes as often as on a per-download basis.  Fake AVs are also being rapidly rebranded with minor cosmetic changes in order to avoid recognition.

• Advanced Rootkits. Another major change in the threat space is the increased use of advanced rootkit techniques.  With profit as an incentive, more and more hackers are willing to push the difficult boundaries of rootkit development and deployment.  This can be seen most recently in the spread and evolution of Backdoor.Tidserv and W32.Stuxnet.

• Fake Antivirus. The last few years have seen a proliferation of Fake Antivirus scams.  Stealthily installing a Fake AV on an unsuspecting user’s machine has become a highly lucrative “business”, and hackers are using every tool at their disposal to avoid detection in order to maximize profits.  Successful distributors can make an average of $130 a day so it’s no wonder that the threat space has moved to infections involving the installation of Fake AVs.  These infections are often multi-layered and difficult to remove as a whole.  They often consist of Fake AV components, Trojans that download the Fake AVs, and rootkits that keep the Trojans hidden.  While some components are easy to spot and remove, such as the Fake AV GUI, leaving any infection components behind leaves the system vulnerable to be re-infected. 

This new and evolving landscape has created a window of opportunity where extremely aggressive threats can infect customers before antivirus suites can provide full protection.

Meeting the challenge

We designed the new heuristic based SMR engine to close this window and stay abreast of the ever-changing threat space.  Key design elements of SMR include:

• A nimble and easily updatable engine. Since the threat space is always changing in order to evade security suites like our own Norton products, we wanted to provide a tool that can be easily updated as well.  We started by gathering attributes and data points from thousands of threat families in order to build and tune a broad detection net.  This is net is constantly tuned using data gathered from the field so that when the threatspace moves away from Fake AVs, SMR will evolve and be in position to protect against the next scam.  Changing trends in the threat space such as rebranding Fake AVs are easily handled with a definitions update, and having a rapid development cycle means we can react to major changes in infection and rootkit vectors like the .lnk exploit used by the Stuxnet family. 

• Able to target infections in their entirety. From the downloaders to the payloads and the rootkits that hide them, today’s infections are complex, utilizing multiple components to orchestrate a profitable outcome for the hackers.  SMR is tuned to detect and remove these risks by looking for behavioral patterns such as displaying scareware messaging.  More importantly, SMR is tuned to detect the Trojan that got the Fake AV on your system in the first place, as well as the rootkit that’s hiding it.  We do this by looking at the evasion techniques modern malware use, such as distributing threats in small numbers, utilizing packers and encryptors, and hiding files and registry keys by using rootkits.

• Aggressive detection techniques: One of the challenges that security companies face as threats evolve is the risk of false positive detections. For this reason, sometimes the most aggressive detection techniques cannot always be used. Because SMR is used in a standalone tool reserved for those situations where a machine is very infected it allows us to be more aggressive in our detection and repair actions. SMR utilizes multiple new heuristic engines and data analysis points in order to detect a broad range of threats.  These include packer heuristics, load point analysis, rootkit heuristics, behavioral analysis, distribution analysis, and system configurations monitors.  Data-driven algorithms use this information to detect zero-day threats and once found, the SMR engine removes the threats early in reboot so they don’t have a chance to protect or repopulate themselves.   

So, if you are infected with a threat, Fake AV or otherwise, give Norton Power Eraser (which is powered by the SMR engine) a shot and let us know what you think.  Your feedback is welcome and will help make this free tool more effective against today’s toughest malware.