How malware authors evade antivirus detection

by

Share this news now.

Aiming to ensure that their malware doesn’t end up in the hands of vendors and researchers, cybercriminals are actively experimenting with different quality assurance processes whose objective is to increase the probability of their campaigns successfully propagating in the wild without detection.

Some of these techniques include multiple offline antivirus scanning interfaces offering the cybercriminal a guarantee that their malicious program would remain undetected, before they launch their malicious campaign in the wild.

In the wild since 2006, Kim’s Multiple Antivirus Scanner is still actively used among cybercriminals wanting to ensure that their malicious software is pre-scanned against the signature-based scanning techniques offered by multile antivirus vendors.

Let’s review Kim’s Multiple Antivirus Scanner, and discuss when it’s an important tool in the arsenal of the malicious cybercriminal spreading malware for profit.

Screenshots of the Kim’s Multiple Antivirus Scanner interface:

It currently supports the following AV Engines:

  • Asquared
  • Avast
  • AVG
  • Avira
  • BitDefender
  • ClamWin
  • Dr. Web
  • eTrust
  • FProt
  • Ikarus
  • KAV
  • McAfee
  • NOD32
  • Norman
  • Norton
  • Panda
  • TrendMicro
  • Quick Heal
  • Solo
  • Sophos
  • VBA32
  • VirusBuster

Webroot SecureAnywhere isn ‘t included in the package. Thankfully, using tools like Kim’s Multiple Antivirus Scanner doesn’t take into consideration multiple layered protection strategies introduced in popular applications such as, for instance, Webroot SecureAnywhere, namely behaviour-based blocking techniques that are signature-independent.

What’s worth pointing out that is how cybercriminals have managed to build this application around pirated versions of the included antivirus scanners. Kim’s Multiple Antivirus scanner can easily change the sensitivity of the heuristic engines build within the antivirus software, whereas the primary goal is to pre-scan a malicious binary using the most recently updated database of all vendors, in order to ensure that it will bypass signatures based scanning.

Piracy on the other hand plays a crucial role in the dissemination of malware. Multiple reports are confirming that despite Microsoft’s efforts to minimize the AutRun infections growth rate by issuing a special patch for the purpose, millions of end and corporate users continue browsing the Web, using pirated Windows versions, preventing the installations of critical updates thanks the Windows Genuine Advantage wall.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
How malware authors evade antivirus detection by

Tags:



About the Author

Name: Dancho Danchev
Role: Retired ThreatBlog Member

Share this news now.

Dancho Danchev is an internationally recognized security blogger, cybercrime researcher, and a public speaker.  He’s been an active security blogger since 2006, maintaining a popular security blog, where he shares detailed analyses of tactics, techniques, and procedures (TTP) of malicious and fraudulent adversaries.

You can find out more about Dancho’s expertise and experience at his LinkedIn Profile, or at Wikipedia.

You can alsofollow him on  TwitterGoogle+ or Facebook.


Share this news now.
How malware authors evade antivirus detection by

Trackbacks

  1. [...] during 4Q11, 33 percent of Web malware encountered was zero-day malware — thanks to the quality assurance processes applied by cybercriminals aiming to ensure that their malicious executables don’t end up in the hands of security [...]

  2. [...] common for cybercriminals to apply basic quality assurance (QA) tactics to their campaigns. Next to QA, they also emphasize on campaign optimization strategies allowing them to harness the full [...]

  3. [...] by the industry on a daily basis, it’s fairly logical to conclude that over the years, the bad guys have adapted to signature-based antivirus scanning protection mechanisms, and have achieved disturbing levels of [...]