Antivirus Evasion: Why Cyber Attacks Still Succeed

We all know the importance of protecting our data. There are more and more reports every day of big companies being hit by cyberattacks and customers data being stolen. It’s a big business for cyber criminals and it’s a business that is continuing to grow. With this in mind, how do we defend our data? And is complete protection from cyberattacks even possible? Forums on the dark web are rife with stolen data from people all over the world ranging from names, emails, passwords, telephone numbers, addresses to full corporate databases and sensitive government documents. How is this data getting out here if we have taken all the recommended steps to protect it? One of these steps recommended as one line of defense is the use of antivirus software, but does it really work? The simple answer to this question is yes it does, but the reality is far more complex.

What is Antivirus Evasion?

Antivirus software plays a crucial role in defending against cyber attacks but cyber criminals are constantly evolving their tactics to find a way past these defenses - a process known as antivirus evasion. Antivirus software is designed to detect, isolate and remove malicious software that poses a threat to a user’s device and their data. There is an ongoing battle between security software providers and cyber criminals. Essentially cyber criminals want access to their victims’ devices and networks and need to find ways to bypass security software in order to do that. Software providers do their best to combat this through updates and patches to block the threats, but these cyber criminals are adept at finding ways to sneak through. Two common approaches used by antivirus software are:
-  Heuristic-based scanning – Examines the file and its function. Establishes whether the software is suspicious by analysing its behaviour and characteristics.
-  Signature-based scanning – Examines the file to ascertain if it matches any specifically known malware. It works like a fingerprint database. If, upon examination, the suspected malware appears to match something known then it is flagged.

Antivirus Evasion Techniques

In order to evade these defenses cyber criminals have developed a number of techniques, some of the most common being:

Code Obfuscation

A technique which modifies the code and signature of a virus to avoid detection by antivirus software. This technique is often used alongside other techniques rather than on its own as it can reduce the effectiveness of the malware. On its own this approach may not be sufficient to bypass Heuristic-based scanning.

Encryption

When a virus is encrypted, it’s split into two parts: the virus body and the decryption loop. The decryption loop encrypts and decrypts the virus; without it, the malware cannot function when deployed.

Polymorphic & Metamorphic Malware

Polymorphic malware makes identification of the threat difficult as a number of different decryptors are created and use obfuscation techniques to change the decryption code in each copy that it makes. The Emotet Malware, which started as a banking trojan, is an example of polymorphic malware as it can change its code to avoid being detected. Emotet is delivered through spam emails containing malicious links or infected documents, which - when clicked - would download the malware onto the user’s computer.
Metamorphic malware is similar however each copy of the virus is built differently. Each copy is uniquely coded in varying sizes and sequences, while its behaviour remains intact.

Process Injection

Process injection camouflages the malware by hiding it in the memory space of another program. This makes it difficult for the antivirus to detect the malware, especially as the processes of both the program and the camouflaged malware can be similar. By doing this, the malware can be deployed and even lie dormant for a prolonged period of time before it’s detected. The Havex malware used by the Dragonfly (Energetic Bear) group is an example of how process injection works. One of the techniques used by Havex was to inject itself into the explorer.exe process which manages the graphical user interface of the windows environment. This technique helped the malware to avoid detection as it looked like a legitimate process. Real world examples can help to explain the effect that antivirus evasion can have, one of these examples is The New York Times cyberattack in 2013.

Sad Times in New York

In 2013 The New York Times was the victim of a cyber attack which took place over the course of 4 months. Using antivirus evasion, the cyber criminals managed to steal the corporate passwords of every employee using them to access the personal computers of 53 employees. According to the New York Times, over that period 45 pieces of custom malware were installed on their systems with only one of those being detected and quarantined by their antivirus software.

Mitigating the Risk

There is always going to be risk and antivirus software is one layer of defence we can apply to mitigate that risk, but not the only one. Endpoint Detection and Response (EDR) is a tool used by organisations that can be used to detect the threats that get past an initial layer of defence such as antivirus software. It continuously monitors desktops, laptops, servers, mobile phones etc. for threats and automatically performs actions to help stop them in their tracks and storing the data for future analysis. Antivirus software is a crucial tool in the battle against cybercrime however adopting a multi layered approach is essential to protecting data and keeping ahead of cybercriminals.

Cybercriminals are constantly evolving, which means our defence against them must continue to evolve. A layered approach-combining threat intelligence, endpoint security, and proactive monitoring - is essential to staying ahead.

Sources:

https://www.kaspersky.com/resource-center/threats/combating-antivirus 
https://www.mdpi.com/2076-3417/13/8/5083 
https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-endpoint-detection-response 
https://www.kaspersky.com/resource-center/threats/emotet 
https://www.kaspersky.com/resource-center/definitions/heuristic-analysis 
https://www.attackiq.com/2022/04/01/attack-graph-response-to-us-cert-aa22-083a-historical-russia-based-actors-targeting-the-energy-sector/ 
https://www.wired.com/2013/01/new-york-times-hacked/ 
https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html#:~:text=Over%20the%20course%20of%20three,quarantined%20it%2C%20according%20to%20Mandiant. 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.