How cybercriminals try to bypass antivirus protection
In today's world, antivirus software is a crucial aspect of security for endpoints including computers and servers, ranging from individual users to large organizations. Antivirus software provides a key defense against cyber threats but is not infallible. There are various techniques that cybercriminals use to bypass antivirus and evade malware.
How do antiviruses work?
The goal of antivirus software is to determine whether a file is malicious – and it needs to do this quickly to avoid impacting the user’s experience. Two widely-used methods that antivirus solutions use to search for malicious software are heuristic and signature-based scans:
- Heuristic-based scanning examines the function of a file, using algorithms and patterns to establish whether the software is doing something suspicious
- Signature-based scanning examines the form of a file, looking for strings and patterns that match known malware samples
Malware creators can choose to interact in two ways with antivirus – one is on disk and the other is in memory. On disk, a typical example would be a simple executable file. Antivirus has more time to scan and analyze a file on the disk. If loaded in memory, an antivirus has less time to interact and generally malware is more likely to execute successfully.
Limitations of antivirus
While antivirus software is a recommended way to keep systems secure, ultimately it does not make devices unhackable. A typical antivirus program uses a database of malware signatures made up of previously identified malware. Whenever a new malware sample is discovered, a digital signature for it is created and added to the database. This means that there is a vulnerable period between a new malware being circulated and antivirus programs updating their databases. During that time, malware has the potential to cause havoc. So, while antivirus software provides an added layer of security, they don’t mitigate threats entirely.
In addition, the number of operating system (OS) independent languages that can be used to write malware is increasing, which means a single malware program has the potential to impact a wider audience. As cyber threats become more sophisticated, antivirus programs must evolve to keep up. With hackers continuously evolving their techniques to bypass antivirus programs, and because of the complexity of today’s security landscape, this is a challenge.
Antivirus evasion techniques
To achieve their objectives, cybercriminals have developed a range of evasion techniques. These include:
Code packing and encryption
The majority of worms and Trojans are packed and encrypted. Hackers also design special utilities for packing and encrypting. Every internet file that has been processed using CryptExe, Exeref, PolyCrypt and some other utilities, has been found to be malicious. To detect packed and encrypted worms and Trojans, the antivirus program must either add new unpacking and decoding methods, or add new signatures for each sample of a malicious program.
By mixing a Trojan virus’s code plus spam instructions – so that the code takes on a different appearance, despite the Trojan retaining its original functionality – cybercriminals try to disguise their malicious software. Sometimes code mutation happens in real time – on all, or almost all, occasions that the Trojan is downloaded from an infected website. The Warezov mail worm used this technique and caused serious issues to users.
Rootkit technologies – that are generally employed by Trojans – can intercept and substitute system functions to make the infected file invisible to the operating system and antivirus programs. Sometimes even the registry branches – where the Trojan is registered – and other system files are hidden.
Blocking antivirus programs and antivirus database updates
Many Trojans and network worms will actively search for antivirus programs in the list of active applications on the victim computer. The malware will then try to:
- Block the antivirus software
- Damage the antivirus databases
- Prevent the correct operation of the antivirus software’s update processes
To defeat the malware, the antivirus program has to defend itself by controlling the integrity of its databases and hiding its processes from the Trojans.
Masking the code on a website
Antivirus providers quickly learn the addresses of websites that contain Trojan virus files – and their virus analysts then study the content of these sites and add the new malware to their databases. However, in an attempt to combat antivirus scanning, a webpage can be modified – so that, when requests are sent by an antivirus company, a non-Trojan file will be downloaded instead of a Trojan.
In a quantity attack, large quantities of new Trojan versions are distributed across the internet within a short time period. As a result, antivirus companies receive huge numbers of new samples for analysis. The cybercriminal hopes that the time taken to analyse each sample will give their malicious code a chance to penetrate users’ computers.
Zero day threats
Your antivirus program is updated regularly. This is usually in response to a zero-day threat. This is a malware evasion technique where a cybercriminal exploits a software or hardware vulnerability and then releases malware before an antivirus program can patch it.
This is a more recent method of running malware on a machine that doesn’t require anything to be stored on the targeted machine. Fileless malware operates entirely in the memory of the machine, allowing it to bypass antivirus scanners. Visiting an infected webpage does not deliver the malware directly. Instead, it uses a previously known vulnerability in a related program to direct the machine to download the malware to a memory region – and from there, it is executed. What makes fileless malware so dangerous is that once the malware has done its job or the machine is reset, the memory is wiped and there is no evidence that a criminal installed malware.
Phishing is one of the most common techniques that cybercriminals use to steal information. In a phishing attack, the attacker deceives victims by pretending to be a trustworthy or known source. If users click a malicious link or downloads an infected file, attackers may gain access to their network, and then steal sensitive information. Antivirus software can only detect known threats and is not reliably effective against new variants.
Antivirus software does not have access to operating systems which allow browser-based attacks to bypass them. These attacks infect your device by using malicious scripts and code. To prevent these attacks, some browsers include built-in defensive tools but must be used consistently and correctly to be effective.
Encoding the payload
Another technique through which malware bypasses antivirus scanners is by encoding the payload. Cybercriminals often use tools to do this manually and when the malware is delivered and activated, it is then decoded and does its damage. This is usually done via a small header program tacked onto the front of the encoded virus. Antivirus scanners don’t perceive this program as a threat and the encoded virus is simply seen as data. So when the header is triggered (for example, by being embedded into an existing executable), it will decode the malware into a memory region and then jump the program counter to that region and execute the malware.
How to protect against malware evasion techniques
Using antivirus software should be a core part of your overall cybersecurity strategy – but, as this article shows, businesses shouldn’t solely rely on it for cyber protection. To ensure optimal security, it’s best to invest in a multi-layered approach to cybersecurity. Additional tools you can use to keep cybercriminals out of your network include:
Encrypting devices ensures that no one can access the data they contain without the correct password or key. Even if a device is stolen or infected with malware, proper encryption can prevent unauthorized access.
MFA requires users to input more than one piece of information to access accounts, such as a time-sensitive code. This provides greater security than simply relying on password. This is particularly important if you have sensitive or personal information on devices or accounts.
Passwords are important to keep accounts and networks secure but it is critical to use strong passwords which are unique to each account. A strong password is at least 15 characters (ideally more) and is made up of a mix of upper- and lower-case letters, numbers, and symbols. Password managers can help you keep track – they are a secure vault for unique passwords and keep them safe from hackers.
Cyber security awareness training
With cybercrime on the rise, businesses should teach their employees about the risks associated with cyberattacks, as well as how to handle them if they occur. By educating users about the cyber threat landscape, you can help them to recognize suspicious activity such as phishing emails and so on.
Endpoint detection and response
An EDR solution monitors the behavior of the network and endpoints and stores these logs. EDR technologies can give security staff the data they need to understand the nature of a cyber attack, delivering automated alerts and endpoint remediation.
Cybercriminals don’t usually use one antivirus evasion technique alone. On the contrary: malware is designed to tackle different situations to maximize its chances of success. The good news is that the security community is vigilant, always learning about new antivirus and malware evasion techniques and developing new ways of prevention.
- What is endpoint security and how does it work?
- How malware penetrates systems
- Social engineering
- Malware classifications
- Choosing an antivirus solution