Malware Bypasses Antivirus
Tuesday, October 23, 2012 @ 08:10 PM gHale
There is now a USB dropper/spreader that can bypass commercial antivirus products.
Antivirus programs today identify threats based on their signatures, or on their behavior and if malware gets by one system, the other can catch it.
But hold on, security researchers found a way to create malicious elements that can spread from one computer to the other without detection.
A security researcher who specializes in reverse engineering and software security, Soufiane Tahiri, created a virus whose behavior bypasses antivirus because it is not in the AV catalog.
The purpose of this test malware was to copy a presumably malicious file to a USB drive and create an autorun.inf file on the targeted device without being detected.
The “malicious element” would constantly search for the presence of removable disks. If it finds one, it would undergo a scan to determine if it suffers from an infection.
If it’s not, the autorun.inf file and a malicious executable would copy on to it.
The first thing Tahiri did to ensure his USB dropper would not fall victim to detection was to rename the functions usually utilized by malware to perform various tasks such as steal data or spy on the victim.
Then, instead of using methods that would clearly appear suspicious – such as File.Copy() and File.Delete() – the malware leverages an intermediary program that doesn’t require any privileges to execute basic commands. Namely, the Windows CMD command line.
“By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions.” Tahiri said.
“We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line.”
Leave a Reply
You must be logged in to post a comment.