In order to infect a computer with malicious software, cybercriminals must either:
- Entice the user into launching an infected file or
- Try to penetrate the victim’s computer – via a vulnerability within the operating system or any application software that’s running on the machine
At the same time, the more professional cybercriminals will also try to ensure their malware evades any antivirus software that’s running on the victim’s computer.
Techniques used in combating antivirus software
To increase the likelihood of achieving their objectives, cybercriminals have developed a range of techniques to try to combat the activities of antivirus software, including:
- Code packing and encryption
The majority of worms and Trojan viruses are packed and encrypted. Hackers also design special utilities for packing and encrypting. Every Internet file that has been processed using CryptExe, Exeref, PolyCrypt and some other utilities, has been found to be malicious.
In order to detect packed and encrypted worms and Trojans, the antivirus program must either add new unpacking and decoding methods, or add new signatures for each sample of a malicious program.
- Code mutation
By mixing a Trojan virus’s code plus ‘spam’ instructions – so that the code takes on a different appearance, despite the Trojan retaining its original functionality – cybercriminals try to disguise their malicious software. Sometimes code mutation happens in real time – on all, or almost all, occasions that the Trojan is downloaded from an infected website. The Warezov mail worm used this technique and caused some serious epidemics.
- Stealth techniques
Rootkit technologies – that are generally employed by Trojan viruses – can intercept and substitute system functions, in order to make the infected file invisible to the operating system and antivirus programs. Sometimes even the registry branches – where the Trojan is registered – and other system files are hidden. The HacDef backdoor Trojan is an example of malicious code that uses these techniques.
- Blocking antivirus programs and antivirus database updates
Many Trojan viruses and network worms will actively search for antivirus programs in the list of active applications on the victim computer. The malware will then try to:
- Block the antivirus software
- Damage the antivirus databases
- Prevent the correct operation of the antivirus software’s update processes
- Masking the code on a website
Antivirus companies will quickly learn the addresses of websites that contain Trojan virus files – and their virus analysts can then study the content of these sites and add the new malware to their databases. However, in an attempt to combat antivirus scanning, a webpage can be modified – so that, when requests are sent by an antivirus company, a non-Trojan file will be downloaded instead of a Trojan.
- ‘Quantity’ Attacks
In a Quantity Attack, large quantities of new Trojan versions are distributed across the Internet within a short time period. As a result, antivirus companies receive huge numbers of new samples for analysis. The cybercriminal hopes that the time taken to analyse each sample will give their malicious code a chance to penetrate users’ computers.