Researchers Use Machines To Analyze Malware

← Back to Stories (view on slashdot.org)

Researchers Use Machines To Analyze Malware

Posted by ryuzaki0 on Saturday June 10, 2006 @11:21PM from the bugs-under-glass dept.

Krishna Dagli writes to mention a Register article about a mechanical process for analyzing malware. Using an automated system, researchers are able to more accurately classify the often randomly-named bots and viruses that plague us. From the article: "The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as 'events' in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

55 comments

Min score:

Reason:

Sort:

The future is now by Umbral+Blot · 2006-06-10 23:26 · Score: 4, Insightful

Obviously solutions like this will be the way of the future, combined with a finer grained permission system. I just hope you can manually exempt programs. For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware. I am also curious if their system could defeat a rootkit, which will do its best to hide its activity and existence almost completely from the system.

--

Philosophy.
1. Re:The future is now by Anonymous Coward · 2006-06-11 00:01 · Score: 0
  
  It would seem to me that malware has to report to some IP addrss on the internet ,
  Why cant that IP be traced and the reciprt of the information sued ?
  
  What is the pupose of Malware ?
  If not viral. , it must report to some IP that is traceable,
  for example, I get some malware, and open my routers packet log, and see it's communication with Some IP
  Why cant I just sue the owner of that IP?
  I'm not a lawwer, but i dont see why people dont do that certainly the communication can be traced
2. Re:The future is now by ciroknight · 2006-06-11 00:18 · Score: 2, Funny
  
  New classification system eh? Sounds good to me...
  
  "Pandavirus/2006Tokyo is in Domain Malware, Kingdom Microsoft, Phylum Spyus Maximus, Class Claria, Order Adicus Wearicus, Family Panda."
  
  --
  "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
3. Re:The future is now by bmo · 2006-06-11 00:18 · Score: 4, Insightful
  
  "Why cant I just sue the owner of that IP?"
  
  Because the owner of the IP is not always the originator of the malware, but a victimized third party? Ya think? Haven't you ever looked at your phishing spam URLs?
  
  Only a seriously stupid criminal would illegally collect information at a machine that he owns himself.
  
  That said, the prisons are not full of geniuses.
  
  --
  BMO
4. Re:The future is now by Zeinfeld · 2006-06-11 03:58 · Score: 1
  
  Obviously solutions like this will be the way of the future
  Mechanical? Why mechanical? I thought we had left the Babbage era approach behind when they invented the transistor.
  Whats wrong with electricity?
  
  --
  Looking for an Information Security student project suggestion?
  Try http://dotcrimeManifesto.com/
5. Re:The future is now by TCM · 2006-06-11 04:39 · Score: 1
  
  I just hope you can manually exempt programs.
  
  "Attention! Program X requires blah bla blah. To do that blah blah blah. Do you really want to blah blah blah?"
  
  *90% of users click yes* There, malware exempted. Those people who get malware[1] in the first place won't be helped by this at all.
  
  [1] The open-this-attachment-to-get-owned type, not the Windows-is-a-piece-of-shit-automatically-owned type.
  
  --
  Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
6. Re:The future is now by swillden · 2006-06-12 03:39 · Score: 1
  
  For example bittorrent opens a lot of network connections, and copies a lot of data around; I could see a tool such as this reasonably coming to the conclusion that it was malware.
  The RIAA and MPAA would agree with that conclusion.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Advantages? by bsdluvr · 2006-06-10 23:27 · Score: 4, Insightful

Does this new classification method really have any advantages for the average user? I'm sure most people just want to keep their systems malware-free, and could care less about the names of the individual threats.
1. Re:Advantages? by Aneurysm · 2006-06-10 23:33 · Score: 3, Insightful
  
  If you can group malware threats together it may be easier/quicker to come up with methods to remove them. Common system actions probably means common steps to get rid of the malware. Also, having a database of actions that a piece of malware takes when infecting a system could help identify an infection sooner. If you had an anti-malware package running on your computer and intercepting reg key changes, directory creations etc. before they happened, it could step in to alert the user and eradicate the threat before it had even finished installing itself. Admittedly many people wouldn't want an anti-malware system constantly monitoring every API access, but if it was made transparent this is the sort of thing that would greatly benefit the less technically minded user.
2. Re:Advantages? by witte · 2006-06-10 23:45 · Score: 1
  
  This could be very useful.
  The thing is that the perception of human researchers is always skewed by assumptions and the human tendency to generalize any problem, based on incomplete data. (Useful in survival-of-the fittest scenarios, but potentially counterproductive when doing research.)
  Machines deal with facts, period.
  They may expose things we previously ignored or crammed into categories that don't really fit the bill.
  (Of course, if the data fed to the machine is presented in a form which has already been sorted/validated by a human researcher, the system is still tainted.)
  A finer-grained categorization can result in better tuned defenses against annoying/subversive crapware.
3. Re:Advantages? by Anonymous Coward · 2006-06-11 00:17 · Score: 0
  
  This sounds like a pattern analysis/heuristics type approach, similar to what some host based IDS systems use (I.E. Okena, did Cisco kill this or what?)
  
  Anyway, if you can *detect* the malware then you can build signatures to scan for it using simpler software like SAV, McAfee, Ad-aware, SpyBotS&D, pestPatrol and others assuming that the malware isn't so advanced that it can evade detection. (polymorphic code techniques, or whatever)
4. Re:Advantages? by kesuki · 2006-06-11 00:35 · Score: 1
  
  the distructive payload makes this malware a virus. Most malware simply has code to 'self destruct' the system if tampered with, disabled, or made unable to think it's able to access the internet.
  
  Afterall most malware are exploits meant to make money off peoples computers. either through ad revenues, bulk mail sending, or formation of a 'botnet' which can be used for a whole slew of possiblities. a few pieces of malware try to steal data so that you can become a 'victim' of internet crime, which is why certain hackers intentionally load malware, so that the government can montior all their packet data and catch the law breaking crooks, or shut them down before they do a lot of damage to 'innocent' users who don't know any better.
  
  In all my years on the internet I've learned that not every company that sends bulk mail is in the same class. We've got the opt-in bulk mailers, who focus on finding reasons for people to 'opt in' then we have the 'opt-out' companies who generate and use do-not mail lists. then we have the companies who just try to send so much stuff, that they can 'sucker' in everybody with all the fake offers, and scams.
  
  It certaintly makes the world more interesting that we have so many different types of people, but it costs a lot of money when the 'criminals' get away with millions from the crime. Right now america has possibly the least amount of fraud, because of all the attention that's been paid to it by the various federal agencies and the 'war' that this administration is waging against 'terror' because they feel that the companies stealing money are perhaps using that stolen money to fun terrorist operations. Considering most of the crime traces back to africa, and africa has a lot of ties to 'terrorist' networks, the administration is probabbly right that the money could be being used for that. although there is also a lot of poverty in africa, but i've always believed that poverty is just a state of mind.
  
  Even though i sometimes can get caught up on apperance, and wealth, but hey i grew up in america, which has the strongest economy in the world. So, to a certain extent that's to be expected. In my own personal life, with the exception of computers, i live very cheaply though. perhaps too cheaply, but that just means i've been less of a drain, since i haven't been getting paid other than the occasional odd job.
  
  --
  https://www.gnu.org/philosophy/free-sw.html
5. Re:Advantages? by cyber-vandal · 2006-06-11 04:11 · Score: 1
  
  i've always believed that poverty is just a state of mind.
  
  It's usually a state of not having enough resources to feed, clothe and house yourself (and your family if you have one). Now if you know a way for a person to think themselves out of that, you'll be the most revered man on the planet when you share it with the rest of us.
6. Re:Advantages? by happyemoticon · 2006-06-11 04:52 · Score: 2, Interesting
  Any mechanized approach to classifying malware is a good thing. I've heard anecdotally that the process of getting a program declared as a virus or malware is (or has been) as follows at major security firms:
  
  Client gets infected with virus.
  
  Client calls vendor when vendor's app refuses to clean it off.
  Vendor's tech support gradually escalates the ticket until somebody with half a brain gets ahold of the problem.
  
  Non-clueless support person dissects the malware and commits it to the week's definitions.
  
  Oh, and of course:
  
  Client's data is screwed.
  
  Of course, this is purely anecdotal, and as someone who's never been employed at one of these firms I have no firsthand experience. But I suspect it's something like this, or at the very least something which requires a screaming client and a lot of human effort.
  
  Also, a common thing to do with malware is to change a few lines of code here and there until a matching engine can no longer recognize it and then send it out again over the net. It sounds like their technology has the possibility of dealing with this as well, if it can intelligently sort together related infections. However, the guy who gets a virus first is still probably screwed - but it's an imperfect world.
7. Re:Advantages? by kesuki · 2006-06-11 06:21 · Score: 1
  
  That is the materialistic view. In the material sense, one can eat bugs and roots, drink stagnant water, sleep in a pile of filth... and no one could doubt that that is 'poverty' in the material sense. But I've seen some good documentaries of tribes in africa, and south america who were living that way. And while those films were heavily edited, but I didn't see people who were really 'living in poverty' so much as leading the happiest best lives they could given the available resource.
  
  Poverty is a state of mind my friend, much more so than the 'material' resource you have access to. you should read the book of job, just to understand where i'm coming from. that story does a far better job of explaining how poverty doesn't have to relate to the physical reality.
  
  --
  https://www.gnu.org/philosophy/free-sw.html
Really? by Anonymous Coward · 2006-06-10 23:36 · Score: 0

Researchers Use Machines To Analyze Malware

What? Really? Of course, I didn't read the summary yet.
Better classification means better naming by mrogers · 2006-06-10 23:45 · Score: 5, Funny

Now instead of obscure names like W32/worm.169/06A they can give them meaningful names like W32/fucks.your.harddrive.and.emails.itself.to.all. your.friends.169/06A.
1. Re:Better classification means better naming by bstrunk · 2006-06-11 01:17 · Score: 1
  
  At this point are we even sure that the classification system used is an effective one? If the malware is just being labeled as bad, more bad, and unbad, is classification really going to help anything?
  
  --
  --BSOBN--
2. Re:Better classification means better naming by JoshRoss · 2006-06-11 03:03 · Score: 1
  
  I would want to be sure that I was protected from any w32/*fucks*(hard drive|registry|media) virus, as a first step.
3. Re:Better classification means better naming by Anonymous Coward · 2006-06-11 03:54 · Score: 0
  
  Ah, so classification is useful for excluding detection of all slightly-less-dangerous threats.
One-sentence summary by cp.tar · 2006-06-10 23:52 · Score: 1

So, basically, we'll have another anti-virus-like program monitoring our systems.

Yay for the multi-core CPUs!

--
Ignore this signature. By order.
1. Re:One-sentence summary by ozmanjusri · 2006-06-11 00:15 · Score: 3, Insightful
  
  So, basically, we'll have another anti-virus-like program monitoring our systems.
  That's the most attractive option for the big malware prevention/removal companies, and is the most likely scenario in the near future.
  The opportunity this type of forensic analysis creates though, is that it exposes and classifies the methods the malware uses to insinuate itself into the host operating system. That means OS vendors can analyse the failure points of their products and harden them against the malware. At the moment, the two key problems with malware removal are
  1. Recognising its presence
  2. Removing the malware and returning the computer to a safe state
  If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.
  It's also an example of why an OS vendor who also sells malware tools has such a dangerous conflict of interests.
  
  --
  "I've got more toys than Teruhisa Kitahara."
2. Re:One-sentence summary by jacksonj04 · 2006-06-11 00:20 · Score: 3, Interesting
  
  Is it worth having a core just to do background tasks like this?
  
  Since multicore systems are starting to take off, perhaps there should be a method for applications to flag themselves as 'supporting', and then have a seperate lower power core dedicated to 'supporting' applications such as AV, system monitors etc?
  
  --
  How many people can read hex if only you and dead people can read hex?
3. Re:One-sentence summary by Aneurysm · 2006-06-11 00:34 · Score: 1
  
  Only if you need it... Sensible users usually avoid malware infections, because they know the dos and don'ts of using the internet. Do use a firewall, don't run any screensavers you get by email. Do run regular security updates, etc.. These users won't need to use a resource sapping system monitor, it is the casual internet users who don't know about basic security that will. These users are also the type of users who won't mind running the program, because they don't need a 3gHz processor to run outlook and internet explorer anyway.
4. Re:One-sentence summary by cp.tar · 2006-06-11 04:41 · Score: 2, Insightful
  
  The point is, however, that malware mostly (ab)uses perfectly legal system instructions.
  
  Therefore, whatever it is that will be running in people's backgrounds, it will have to have a heuristic algorithm and monitor every single system activity.
  
  To abuse the good old car analogy, it's as if more and more safety measures were introduced in cars instead of teaching people to drive safely.
  Wait, where was I going with that one?
  
  Anyway, I do not want (at the times when I'm using Windows) another program which will protect me some of the time and hog resources all of the time.
  
  But to discuss one of your points:
  If you minimise the number of places where programs can start at boot time and make any auto-starting program clearly visible and easily removable, for example, you will have made it easier for users to block or remove an infection and have reduced the motive for crackers to write the malware in the first place.
  Now, that I can't really agree with.
  People mostly do not write malware as a programming exercise or 'because they can'.
  The romantic days of great hackers seem to be long past.
  The reason people do write malware is, as /. meme goes, 4) Profit!!!1one
  You may make it more difficult, but as long as the motive is plain and simple profit, the motive will remain.
  
  --
  Ignore this signature. By order.
5. Re:One-sentence summary by ozmanjusri · 2006-06-11 15:01 · Score: 1
  
  The point is, however, that malware mostly (ab)uses perfectly legal system instructions.
  Yes, that IS the point. And what that means is that by analysing which of those system instructions are being abused and how, you can redesign the system to resist the attacks better. In Windows, for example, the \HKLM\...\Run: registry entries, WINDOWS\Prefetch, etc are the most common points for malware to hook into to ensure they are loaded at starup. Make it easier to protect and clean those areas and you'll eliminate a whole class of malware.
  The reason people do write malware is, as /. meme goes, 4) Profit!!!1one
  You may make it more difficult, but as long as the motive is plain and simple profit, the motive will remain.
  Yep absolutely, but the point I was making was that most of the profit requires the malware to remain on the victims' computers for a significant period. If OS vendors make their products easy to clean, there's less profit, and therefore less motive.
  
  --
  "I've got more toys than Teruhisa Kitahara."
6. Re:One-sentence summary by cp.tar · 2006-06-11 18:59 · Score: 1
  
  If OS vendors make their products easy to clean, there's less profit, and therefore less motive.
  
  Not exactly.
  
  As in medicine, a bit of prevention is worth more than a... megabyte of repair.
  
  If OS vendors make their products more difficult to infect, now there we may see some improvement... for users, it seems, are not getting educated any better.
  
  --
  Ignore this signature. By order.
7. Re:One-sentence summary by GroinWeasel · 2006-06-11 23:19 · Score: 1
  
  Do you not see that as a huge admission of defeat? That you are _seriously_ suggesting a anti-virus/spyware CO-PROCESSOR?!?
8. Re:One-sentence summary by jacksonj04 · 2006-06-11 23:58 · Score: 1
  
  No, although AV/Spyware would be ones that use it. I was thinking more a co-processor for those things which sit around doing nothing but waste cycles, but which actually have a use. Update daemons, sync tools for PDAs, network monitors, backup and encryption tools etc.
  
  --
  How many people can read hex if only you and dead people can read hex?
Bugged? by Anonymous Coward · 2006-06-11 00:01 · Score: 2, Funny

I think the program is bugged, it keeps telling me that something called Windows is malware.
Hmm... by Ichigo+Kurosaki · 2006-06-11 00:26 · Score: 3, Funny

Researchers Use Machines To Analyze Malware

as opposed to punch cards?
90% isn't good enough by m874t232 · 2006-06-11 00:27 · Score: 3, Insightful

Attempts at classifying malware automatically have been around for a number of years. Trouble is: 90% isn't good enough--it's too many false alarms. You need something that works almost perfectly in order to deploy it on real machines.
Re:Bugged? Patch by Anonymous Coward · 2006-06-11 00:28 · Score: 0

http://www.linux.org/
Wow by ms1234 · 2006-06-11 00:29 · Score: 2, Insightful

Maybe it could be trained to categorize my socks?
1. Re:Wow by Joebert · 2006-06-11 04:15 · Score: 1
  
  count(socks) % 2 === 0 ? sort(socks) : kick(dryer);
  
  --
  Wanna fight ? Bend over, stick your head up your ass, and fight for air.
what is that new malware subset? by gbjbaanb · 2006-06-11 00:35 · Score: 2, Funny

and classified a previously unseen subset of malware using the trained system

automated systems determined that the new worm, W32.setup/install.exe is the most prevalent ever, due to the success of its social-engineering attack vector.
some rules by Anonymous Coward · 2006-06-11 01:18 · Score: 0

Rule 1: O/S weight={linux:1, windows:99}
Rule 2: Contains Sony copyright={no:0, Yes:90}
Rule 3: Changes Registry={no:0, yes:99}
"us" ???? by Wingsy · 2006-06-11 01:32 · Score: 4, Funny

"...bots and viruses that plague us" What's this "us" shit Kemosabe? I've never experienced any bots and/or viruses in the past 5 years or more. What kinda system are you running that has this affliction?

--
If I didn't have absolutely NOTHING to do, I wouldn't be here.
my 5 *cent* by Anonymous Coward · 2006-06-11 01:34 · Score: 0

this really struck my eyes:
"80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent."

shouldn't it be percent ?
1. Re:my 5 *cent* by rolfwind · 2006-06-11 03:32 · Score: 1
  
  No, you see, it's a pay as you go system. From the sentence you quoted, it should be obvious that for every cent you pay, they catch about 80 pieces of malware. Literally "80 per cent."
  
  Of course, I'm wondering if this is a pre-pay system or if they'll just deduct it monthly from my bank account, but either way it doesn't matter to me since I trust these guys (hey, they are in the anti-spyware biz, it's unlike the company will fleece me just for step 3). This will go nicely with my new MS security subscription service and my PC with MS-pay-as-you-go-OS.
I now present... the Polymorph by packetmon · 2006-06-11 02:44 · Score: 5, Insightful

After reading 12 of the 17 page MS document I shake my head... Some malware do not run properly in VM. Some packers are known to detect VM environment and prevent the file from normal execution. What about smarter polymorphs which change and adapt not to mention their analysis', tests, etc., did not include a full scope of what malware targets: "Runtime environment simulation is still primitive. For example, we have not implemented Instant Messaging or P2P applications/servers." Couple this with: "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." And lest I forget "This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. (source). So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions. For any company to create a product whether its hardware or software based, they'd only be lying to a degree about their ability to detect complex threats no matter what engine their malware snoopers were using.

--
Infiltrated dot Net
1. Re:I now present... the Polymorph by Anonymous Coward · 2006-06-11 10:17 · Score: 0
  
  So what happens when malware writers get a clue and start creating their own forms of crypto to hide their actions.
  The MS paper is analyzing system calls (the so-called Native API in Windows). You cannot hide/obscure system calls at runtime, because the kernel has to decode them.
NO! by Anonymous Coward · 2006-06-11 03:22 · Score: 0

Cent is short for century, or centi, if you are of that orientation. 80 per 100 is correct. Percent is WRONG! as is your "5 cent" which should be 5 cents, or nickel if you are of that persuation. This is the way it is to-day. To-morrow things may, can, and will change. Return to your reader.
Curious...Curious... by Attis_The_Bunneh · 2006-06-11 03:35 · Score: 1

If you think about it, this is more to do with how folks that are paid to give us those fancy virus definition libraries than the average user, but end benefit is that all users at all levels will be able to handle these malware threats more specifically than just using random deletion methods. For example, I was an idiot got a keylogger onto my system [which isn't hard to do since it's a Bloze box...], but I haven't noticed any of my accounts being accessed as of yet, which of course I did change the passwords after I went back a version [I keep a clean copy of my system as a ghost CD...] on my system just in case. Either way, I notice that most anti-spyware/malware systems could not detect the keylogger, but my virus scanner could and it could not remove it. So, if these classification methods also lead to new methods of eliminating these threats, press on forward. ^_^

-- Bridget
You can already buy a product that does this by Anonymous Coward · 2006-06-11 03:44 · Score: 4, Informative

Internet Security Systems already provides a product that does this called "Proventia Desktop". Whenever the user tries to run a program, it first boots a virtual machine, runs the program, looks at all these behaviors (opening connections, setting itself as the Run entry in the registry, etc.). When the right combination of behaviors are detected, it marks it as malware and refuses to run it in the real machine. The entire process takes as much time as it would for anti-virus to scan it. It's about 99% effective, which means that it catches almost all 0-day viruses, but it will occasionally let something through (which is why you should probably also have traditional anti-virus as well).
Site mentioned by Anonymous Coward · 2006-06-11 05:05 · Score: 0

At the end of the article the Offensive Computing project is mentioned. The url is http://www.offensivecomputing.net. That site isn't trying to sell you anything, its more of a resource for forensic / incident response people to get infomation about malware they run across. Its not a tool you would run on your home computer either, more of a database of malware with some automated basic analysis and fingerprinting.
Computer security is not easy.... by zappepcs · 2006-06-11 05:29 · Score: 1

Computer security is not easy for businesses and more difficult for the average home user .... But it seems to me that as the price of hardware drops and home networks become more plentiful, we will see more 'appliances' that come described as routers/firewalls/proxies that run the appropriate software so that such programs can be detected by signiature before they get to your desktop. Though that would or might be another level of possible infection to home networks, it is still much stronger than a desktop system alone.

One of the things that I've not seen enough of yet is simply booting from CD into DSL or Puppy, and running ClamAV or other programs to route out any malware, virus, or other malicious software on your desktop.

I think that good security is not any single program or approach, but a combination of counter attacks. I think that this is a possible new approach to staying in the antivirus business despite MS attempt to get into that market space.

Read that as a home network with two desktops, served by a firewall/proxy running linux and appropriate software to screen data from websites, email, IM, etc. and tools that do not depend on the OS they are protecting to do the cleaning.

--
Support NYCountryLawyer RIAA vs People
The past is out future. by TeamSPAM · 2006-06-11 06:51 · Score: 2, Interesting

Back in the days when Macs had viruses (yes they do exist or existed), I was using a program called Gatekeeper. Instead of knowing about certain virus it monitored system activity and alerted you when virus type activity was happening. You the user would either deny or grant the action.

So given my experience with GateKeeper, the ideas of this malware detection seem obvious. Why did it take this long to apply these ideas to windows malware? Is the problem commerical anti-virus software? They prefer you to keep paying for updates, instead to shut down potential malware until they software knows about it?

--
Brought to you by Team SPAM! where we believe: "Information in the noise!"
Steampunk Anti-Virus by Anonymous Coward · 2006-06-11 19:59 · Score: 1, Funny

>a mechanical process for analyzing malware.

Do you mean it is steam or internal combustion powered? Based on a huge Babbage differential engine, programmed with cards in Lady Ada language? It must be since it is mechanical! The MODUS, a stack of most advanced cards for automated malware analysis is the subject of an international conspiracy. And the London smog gets denser every day.
Wisdom follows, pay attention! by Anonymous Coward · 2006-06-11 20:21 · Score: 0

>a worm that uses cryptography in such a way that it cannot be analyzed

That means nothing. To execute it has to decode itself. AV companies use machines with "Windows checked/debug build" installed that replicates every single instruction over RS232 or USB to another identical machine, so you can see the tiniest detail as you wish. Many AV companies also own factory-rigwired confidental samples of Intel CPUs, which dump instruction execution in plain view, much like a lie detector for CPU or the bit-switch engineering consoles on 1960's era mainframes.

Of course lesser funded, non-commerical, NDA-handicapped entities like ClamAV do not possess these resources, so they may be in trouble.

Do not believe all hype you read in newspapers. Everything written by a human can be cracked by a human, plus AV researchers are better educated than hackers and VXers.