Why doesn’t my Antivirus detect all the malware?

    by
    Morpheus
    Rate this article
    Published on 03-26-2010 02:41 AM  Number of Views: 614  
    Why doesn’t my Antivirus detect all the malware?


    It’s a never ending fight between Malware authors and Security software vendors. Avoiding detection – this the prime concern of any malware author today.


    The Antivirus software use signatures – A signature is basically a unique sequence of code that is identified to belong to the malware alone; and added to a constantly updated database of known malware signatures.
    While scanning a system for malware, Antivirus programs look for the same unique sequence(s) of code in files (plus a number of other checks) and once identified, act appropriately – delete or quarantine the specific file based on the user settings.


    The first virus authors did not have to worry about protecting their malicious code in order to defeat detection – the time gap between the release of a virus in the wild and detection/cure (if any) was significant. With the advent of early antivirus programs – this trend changed.


    The defense for signature based detections was Polymorphism, Metamorphism and Oligomorphism – malware authors used self-modifying code and different methods of code modification – basically, creating a different sequence of malicious code (performing the same action every time) to make detection more difficult.


    We then had the era of spyware and adware and a host of programs which were known more for their nagging effects and system crashes, but these were quite easy to deal with, with the proper anti-malware solutions – the unlucky users still had to go through the pains of rebuilding their systems.


    This entire race then took a new dimension with malware authors taking the next step to beat traditional signature based detections – using packers, encrypting or obfuscating code.



    A packer is a program that hides the actual executable code by storing it as data in a new executable file that it creates – this new executable first unpacks the actual code and executes it in the memory; A signature writer would need to unpack such a file first and get to the actual malicious code and extract a signature from it. Simple packers could be unpacked, but malware authors started employing commercial packers which are intended to copy-protect legitimate software from being cracked or reversed. These commercial packers also have other protection methods like

    Anti-disassembly or Anti-emulation or Anti-debugging – all methods used to prevent executables from being reversed or cracked.


    It is now possible to create a number of different binaries with the same malicious code using different packers or a combination of packers – a binary can be packed with one packer first, and the resulting executable can be packed using another different packer, and so on.


    Signature creators can no longer directly extract signatures from these packed/encrypted/obfuscated files as it creates the possibility of detecting legitimate files employing such methods as malware.


    This also leads to the capability of an anti-malware program to have the built-in functionality to detect and unpack a number of commercial packers or identify a packed executable by its code structure.



    Malware authors have also started employing their own customized file encryption/decryption methods similar to those used in polymorphism or metamorphism to create malicious binaries having totally different file characteristics – making signature extraction more difficult.


    Another weapon in the arsenal of Antivirus programs is the use of Heuristics and file emulation. Most real-time, and even some on-demand, anti-virus scanners use heuristic signatures to look for specific attributes and characteristics for detecting viruses and other forms of malware. However, heuristics can be prone to false positives.
    File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions.


    The next dimension employed by malware is the use of Rootkit techniques to hide malware components from being detected.


    The effectiveness of Antivirus software can be determined by the following characteristics
    • The extent of its signature database of known malware and efforts taken to enhance the database - which includes the frequency of signature updates.
    • Capacity of the scanning engine to recognize packing, encryption or obfuscation in executables and the ability to emulate and recognize the malicious behavior of executables.
    • Heuristic abilities to determine malware-like behavior
    • Strength of real-time protection used – antivirus software should be able to detect the presence of malware in network streams – or mail attachments; or prevent the malware from executing on a system. Another important factor - how early does protection start - as the OS boots up?

    Recent Comments Recent Comments

    Recent Blog Posts Recent Blog Posts

    Recent Forum Posts Recent Forum Posts