Get started on your cybersecurity degree at American Military University.
By David Balaban
Some of the present-day malware is groundbreaking enough to slip under the radar of traditional defenses. Cybercriminals have plenty of time and resources on their hands to test their perpetrating code extensively. After that, malware can get around regular detection mechanisms and raise no red flags for days or even months.
Unfortunately, antivirus vendors are one step behind when it comes to identifying such high-profile infections. The payload for the Angler exploit kit, for instance, can go undetected on a targeted host for two days on average. This time frame is enough for the culprit to compromise the victim’s identity or deposit file-encrypting ransomware onto the computer.
Malware authors always stay on top of all updates rolled out by antivirus labs, so that they can modify their code and make it invisible to the latest version of the AV solution. Here are the most common ways that viruses trick and circumvent security tools.
A malicious sample codenamed Rombertik goes with a module that monitors whether it is being analyzed in the infected computer’s memory. If this spyware identifies such an attempt, it instantly wipes the master boot record (MBR). This interference prevents the machine from booting. Furthermore, Rombertik terminates itself in a scenario like that, which makes it problematic for researchers to reverse and scrutinize its code.
Antivirus tools move suspicious programs to a sandbox to thwart real damage to the host. This technique allows executing dubious code in an isolated environment, so that it cannot reach critical components of the operating system and stored data. Some malicious entities circumvent sandboxing by operating alongside a slew of benign dummy files that baffle security suites’ detection routine.
Another clever technique utilized by viruses is to check system registry and other components for known hallmarks of sandboxing. In case the infection determines that it’s operating in a sandbox environment, it halts its malignant activity so that the security suite doesn’t flag it as a threat.
Most malware strains need to establish and maintain secure communication with a remote command and control server. This way, they can transmit harvested information to the crooks and download additional toxic components onto the PC. To do this, cyber pests employ a lot of URLs that can be used for a limited period time and dropped in case of blacklisting.
The proprietors of exploit kits hack an account of a domain registrant and register multiple new subdomains on their behalf. Although these subdomains are linked to malicious servers, security solutions may fail to block them because the kernel domain is legit.
This is another technique used to prevent antivirus programs from blocking malicious traffic generated by malware. Threat actors leverage numerous IP addresses related to a certain domain name. The AV evasion part of the tactic is to change the active IP addresses by modifying DNS values often enough to confuse security suites. The fast flux technique tends to be used in large-scale malware campaigns, such as phishing scams and drive-by virus downloads.
Payload Obfuscation via Crypto
When a malicious payload is making the rounds in encrypted form, it is harder for antivirus products to detect. In a best-case scenario, a security tool will identify the culprit with a significant delay, therefore the infection gets more time to do its filthy job.
Modifying certain properties of a malware sample without twisting its gist and objectives may play into the attackers’ hands. A different filename or payload file compression is likely to trick antivirus tools whose malware signatures include hallmarks of the previous edition of the pest.
Classic Literature as a Red Herring
The proprietors of exploit kits are known to employ a really offbeat method to thwart detection. They insert large passages from popular novels, such as Jane Austen’s “Sense and Sensibility,” into landing pages hosting the malicious kits. While scanning these pages for dubious traits, Internet security tools may perceive the classic literature contents as a sign of legitimacy and therefore won’t flag the site as harmful.
Cybercrooks are really fond of leveraging anonymity services like Tor (The Onion Router) and I2P (Invisible Internet Project) to hide their tracks. The former is heavily used to secure the communication between a malware payload and a C2 server run by perpetrators, ransomware distributors in particular. The latter, I2P, features a similar functionality but also allows threat actors to chat and transfer files back and forth securely.
While macros per se are benign components that go with Microsoft Office solutions, they can be abused to covertly download and execute arbitrary code on a computer. These modules are disabled by default, but users may follow a rogue prompt to activate them and thus unknowingly launch a malicious script that downloads malware onto their machines.
Quite a few blackmail viruses, including the infamous Arena ransomware and the Dridex banking Trojan, have been propagating in this fashion, where booby-trapped Word documents are sent to a large number of users via malspam. Note that campaigns harnessing macros usually involve social engineering to dupe people into opening rogue email attachments.
Some viruses are intelligent enough to run at a specified time. For instance, a virus may run during system boot-up when the infected host is most susceptible to harmful impact and the victim’s security suite isn’t all set to identify infections in real time. The offending code may remain inactive the rest of the time.
How Do Computer Users Stay on the Safe Side?
First and foremost, adopt a defensive strategy revolving around prevention, rather than reaction after the fact. The following tips should come in handy:
- Keep your operating system and third-party software up to date at all times. Apply security patches once they are available.
- Use a reliable security suite boasting a good reputation and, most importantly, high independent lab scores. Make sure the software provides real-time detection functionality and is equipped with a firewall that filters web traffic.
- Follow safe online practices. Stay on the lookout for phishing; never enable macros in Office files received via email; and steer clear of suspicious websites and downloads.
Keep in mind that antivirus software alone is no longer enough to safeguard your computer against malicious code. Try to think out of the box; don’t fall for social engineering attempts and exercise proper online hygiene.