Why Cybercriminals Try to Combat Antivirus Software

In order to infect a computer with malicious software, cybercriminals must either:

  • Entice the user into launching an infected file or
  • Try to penetrate the victim’s computer – via a vulnerability within the operating system or any application software that’s running on the machine

At the same time, the more professional cybercriminals will also try to ensure their malware evades any antivirus software that’s running on the victim’s computer.

Techniques used in combating antivirus software

To increase the likelihood of achieving their objectives, cybercriminals have developed a range of techniques to try to combat the activities of antivirus software, including:

Whereas, in some cases the results of a malware infection may be imperceptible to the user, in other cases the damage can have serious consequences:

  • Code packing and encryption
    The majority of worms and Trojan viruses are packed and encrypted.  Hackers also design special utilities for packing and encrypting.  Every Internet file that has been processed using CryptExe, Exeref, PolyCrypt, and some other utilities, has been found to be malicious.

  • In order to detect packed and encrypted worms and Trojans, the antivirus program must either add new unpacking and decoding methods, or add new signatures for each sample of a malicious program.
  • Code mutation
    By mixing a Trojan virus’s code plus ‘spam’ instructions – so that the code takes on a different appearance, despite the Trojan retaining its original functionality – cybercriminals try to disguise their malicious software.  Sometimes code mutation happens in real time – on all, or almost all, occasions that the Trojan is downloaded from an infected website.  The Warezov mail worm used this technique and caused some serious epidemics.
  • Stealth techniques
    Rootkit technologies – that are generally employed by Trojan viruses – can intercept and substitute system functions, in order to make the infected file invisible to the operating system and antivirus programs.  Sometimes even the registry branches – where the Trojan is registered – and other system files are hidden.  The HacDef backdoor Trojan is an example of malicious code that uses these techniques.
  • Blocking antivirus programs and antivirus database updates
    Many Trojan viruses and network worms will actively search for antivirus programs in the list of active applications on the victim computer.  The malware will then try to:
    • Block the antivirus software
    • Damage the antivirus databases
    • Prevent the correct operation of the antivirus software’s update processes
    In order to defeat the malware, the antivirus program has to defend itself by controlling the integrity of its databases and hiding its processes from the Trojans.
  • Masking the code on a website
    Antivirus companies will quickly learn the addresses of websites that contain Trojan virus files – and their virus analysts can then study the content of these sites and add the new malware to their databases.  However, in an attempt to combat antivirus scanning, a webpage can be modified – so that, when requests are sent by an antivirus company, a non-Trojan file will be downloaded instead of a Trojan.
  • ‘Quantity’ Attacks
    In a Quantity Attack, large quantities of new Trojan versions are distributed across the Internet within a short time period.  As a result, antivirus companies receive huge numbers of new samples for analysis.  The cybercriminal hopes that the time taken to analyze each sample will give their malicious code a chance to penetrate users’ computers.