Outsmarted – Why Malware Works in face of Antivirus Software

[Aerosol]

For many years, different types of malware rank among the biggest IT security

threats both in the business and the private domain. In order to protect oneself

from the dangers of malware, numerous software manufacturers offer IT

security products like antivirus and endpoint protection software. But these

products alone offer no sufficient protection from malware that knows some

tricks, as the results of our recent research with the topic antivirus evasion

show.

In the recent past, there were several computer-based

attacks against IT networks that

became public and raised a lot of media attention.

Especially the attacks against the New

York Times [1] and the Washington Post [2] at

the beginning of 2013 had a world-wide media

coverage and also heated the debate about such

cyber threats with manufacturers of IT security

products like antivirus and endpoint protection

software. In both mentioned cases, attackers were

able to install malware on computer systems of

employees in order to literally spy on the affected

companies – and this probably undetected for

several months.

Once more, incidences like these have pointed

out that in spite of the use of IT security products

like antivirus software or host intrusion detection/prevention

software (HIDS/HIPS) such

attacks cannot be entirely prevented. This kind

of threat illustrates that enterprises and also government

agencies require a master plan with a

working information security management and

security awareness of all employees.

This paper discusses how developers of malware

like trojan horses (in short trojans), viruses, and

worms proceed to hide their malicious intentions

from antivirus software. Thereby, current results

of our recent research are presented and recommendations

are given for dealing with threats and

security risks caused by malware.

How Antivirus Software Works

Current antivirus software, no matter if a standalone

software product or a component of a software

suite (host intrusion detection/prevention

software, endpoint protection software, etc.), uses

different methods to detect known and unknown

threats by means of malware.

In general, these methods used for protecting

computer systems from unwanted, malicious

software can be assigned to the following two

strategies:

1. Blacklisting

2. Whitelisting

In the context of antivirus software, the two

terms blacklisting and whitelisting simply mean

that the execution of a program is either explicitly

forbidden (being on a black list) or explicitly

allowed (being on a white list). Thus, by following

the blacklisting approach antivirus software

will prevent the execution of programs that are

Read more: http://dl.packetstormsecurity.net/papers/general/outsmarted-malware.pdf