In order to infect a computer with malicious software, cyber criminals must either:
Force the user into launching an infected file or
Try to penetrate the victim’s computer – via a vulnerability within the operating system or any application software that’s running on the machine
At the same time, the more professional cyber criminals will also try to ensure their malware evades any antivirus software that’s running on the victim’s computer.
Techniques used in combating antivirus software
To increase the likelihood of achieving their objectives, cyber criminals have developed a range of techniques to try to combat the activities of antivirus software, including:
Code packing and encryption
The majority of worms and Trojan viruses are packed and encrypted. Hackers also design special utilities for packing and encrypting. Every Internet file that has been processed using CryptExe, Exeref, PolyCrypt and some other utilities, has been found to be malicious.In order to detect packed and encrypted worms and Trojans, the antivirus program must either add new unpacking and decoding methods, or add new signatures for each sample of a malicious program.
By mixing a Trojan virus’s code plus ‘spam’ instructions – so that the code takes on a different appearance, despite the Trojan retaining its original functionality – cybercriminals try to disguise their malicious software. Sometimes code mutation happens in real time – on all, or almost all, occasions that the Trojan is downloaded from an infected website. The Warezov mail worm used this technique and caused some serious epidemics.
Rootkit technologies – that are generally employed by Trojan viruses – can intercept and substitute system functions, in order to make the infected file invisible to the operating system and antivirus programs. Sometimes even the registry branches – where the Trojan is registered – and other system files are hidden. The HacDef backdoor Trojan is an example of malicious code that uses these techniques.
Blocking antivirus programs and antivirus database updates
Many Trojan viruses and network worms will actively search for antivirus programs in the list of active applications on the victim computer. The malware will then try to:
Block the antivirus software
Damage the antivirus databases
Prevent the correct operation of the antivirus software’s update processes
In order to defeat the malware, the antivirus program has to defend itself by controlling the integrity of its databases and hiding its processes from the Trojans.
Masking the code on a website
Antivirus companies will quickly learn the addresses of websites that contain Trojan virus files – and their virus analysts can then study the content of these sites and add the new malware to their databases. However, in an attempt to combat antivirus scanning, a web page can be modified – so that, when requests are sent by an antivirus company, a non-Trojan file will be downloaded instead of a Trojan.
In a Quantity Attack, large quantities of new Trojan versions are distributed across the Internet within a short time period. As a result, antivirus companies receive huge numbers of new samples for analysis. The cyber criminal hopes that the time taken to analyse each sample will give their malicious code a chance to penetrate users’ computers.