Malware Bypasses Antivirus

Tuesday, October 23, 2012 @ 08:10 PM gHale

There is now a USB dropper/spreader that can bypass commercial antivirus products.

Antivirus programs today identify threats based on their signatures, or on their behavior and if malware gets by one system, the other can catch it.

Big Bump in Email Malware
Nitol Botnet Shares China Code
Spam becoming more Realisitic
Romney Emails Lead to Blackhole

But hold on, security researchers found a way to create malicious elements that can spread from one computer to the other without detection.

A security researcher who specializes in reverse engineering and software security, Soufiane Tahiri, created a virus whose behavior bypasses antivirus because it is not in the AV catalog.

The purpose of this test malware was to copy a presumably malicious file to a USB drive and create an autorun.inf file on the targeted device without being detected.

The “malicious element” would constantly search for the presence of removable disks. If it finds one, it would undergo a scan to determine if it suffers from an infection.

If it’s not, the autorun.inf file and a malicious executable would copy on to it.

The first thing Tahiri did to ensure his USB dropper would not fall victim to detection was to rename the functions usually utilized by malware to perform various tasks such as steal data or spy on the victim.

Then, instead of using methods that would clearly appear suspicious – such as File.Copy() and File.Delete() – the malware leverages an intermediary program that doesn’t require any privileges to execute basic commands. Namely, the Windows CMD command line.

“By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions.” Tahiri said.

“We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line.”

One Response to “Malware Bypasses Antivirus”

  1. […] New Malware is bypassing Antivirus – an USB dropper/spreader "can bypass commercial antivirus products." These viruses slide right by Anti-virus programs because they are not in the AV catalog. This is evidence of why it is important to find anti-virus programs that track activities, not scan for signatures. Via ISSSource, more here. […]

Leave a Reply

You must be logged in to post a comment.