January 18, 2012Dancho Danchev By Dancho Danchev

How malware authors evade antivirus detection

Aiming to ensure that their malware doesn’t end up in the hands of vendors and researchers, cybercriminals are actively experimenting with different quality assurance processes whose objective is to increase the probability of their campaigns successfully propagating in the wild without detection.

Some of these techniques include multiple offline antivirus scanning interfaces offering the cybercriminal a guarantee that their malicious program would remain undetected, before they launch their malicious campaign in the wild.

In the wild since 2006, Kim’s Multiple Antivirus Scanner is still actively used among cybercriminals wanting to ensure that their malicious software is pre-scanned against the signature-based scanning techniques offered by multile antivirus vendors.

Let’s review Kim’s Multiple Antivirus Scanner, and discuss when it’s an important tool in the arsenal of the malicious cybercriminal spreading malware for profit.

Screenshots of the Kim’s Multiple Antivirus Scanner interface:

It currently supports the following AV Engines:

  • Asquared
  • Avast
  • AVG
  • Avira
  • BitDefender
  • ClamWin
  • Dr. Web
  • eTrust
  • FProt
  • Ikarus
  • KAV
  • McAfee
  • NOD32
  • Norman
  • Norton
  • Panda
  • TrendMicro
  • Quick Heal
  • Solo
  • Sophos
  • VBA32
  • VirusBuster

Webroot SecureAnywhere isn ‘t included in the package. Thankfully, using tools like Kim’s Multiple Antivirus Scanner doesn’t take into consideration multiple layered protection strategies introduced in popular applications such as, for instance, Webroot SecureAnywhere, namely behaviour-based blocking techniques that are signature-independent.

What’s worth pointing out that is how cybercriminals have managed to build this application around pirated versions of the included antivirus scanners. Kim’s Multiple Antivirus scanner can easily change the sensitivity of the heuristic engines build within the antivirus software, whereas the primary goal is to pre-scan a malicious binary using the most recently updated database of all vendors, in order to ensure that it will bypass signatures based scanning.

Piracy on the other hand plays a crucial role in the dissemination of malware. Multiple reports are confirming that despite Microsoft’s efforts to minimize the AutRun infections growth rate by issuing a special patch for the purpose, millions of end and corporate users continue browsing the Web, using pirated Windows versions, preventing the installations of critical updates thanks the Windows Genuine Advantage wall.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

10 Responses to How malware authors evade antivirus detection

  1. wow, that’s interesting. Don’t the other vendors in that list maintain “multiple layered protection strategies”? I think they all do.
    It seems that webroot is the only one that doesn’t have its own file scanner.

    • Other vendors may have multiple layered protection strategies but there is huge difference in the way Webroot SecureAnywhere scans for malware compared to other vendors. The antivirus engine behind Webroot SecureAnywhere uses a behavior based system to analyze the way a piece of software works to determine if its bad or good and ultimately determining if should be allowed to run on your computer or not. This is significantly different than the traditional signature based system that is used by other vendors included on the list in this article.

  2. Article is amazing. I been with Webroot for 1 year and resubscribed for the 2 year thing. As a user I’ve had two attacts: one that cost me a computer and again was attacked after I installed the new 2012 version. I didnt know I got attacked until I started receiving bounced emails I never sent and notes from friends. If so much is known by Webroot, how come I spend my time telling friends and such that I got attacked?

    • It sounds like you fell victim to a phishing attack. This could have been an email, social network post, IM or almost anything online that asked for you to input your login and password to an online site. Phishing attacks are meant to be deceptive so you don’t realize you’re actually entering your information into a fake site pretending to be a legit one. Once you’ve done this the bad guys have your login and password info and can use your account(s) to send out spam for their own cause. I’d suggest changing your online passwords using different passwords for EACH one and being sure to make them very complex.

  3. Pingback: Cisco releases ‘Cisco Global Threat Report’ for 4Q11 « Webroot Threat Blog

  4. Pingback: 117,000 unique U.S visitors offered for malware conversion « Webroot Threat Blog

  5. Pingback: DIY malware cryptor as a Web service spotted in the wild | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Leave a Reply

Your email address will not be published. Required fields are marked *