Anti-malware services are important for anyone to have on their devices. These tools will act as the first line of defense against cyber attacks and can identify and block malicious tools. While anti-malware is extremely effective in many cases, a dedicated attacker may be able to defeat it with specialized techniques. This can be done in several different ways, and there is no single best answer. Attackers will analyze the target network or machine and develop a customized strategy to bypass defenses.
Understanding Anti-malware
The first step to defeating anti-malware is understanding how it works. Anti-malware services scan files that land on a device and analyze them for behavior that they recognize as dangerous. While each anti-malware tool has its techniques for defeating malicious software, they all follow the same basic procedures. This will often combine two tactics: static and heuristic detections.
Static detections are much more simple than heuristic detections. They look for particular signifiers found in previously identified malware samples, such as specific function names or code comments. The tool will check the file in question against a list of learned malicious strings and see if there is a match before blocking the file. One interesting side effect of this analysis is that it may trigger false positives on completely harmless files, such as a text file containing the code comments for malicious software.
Heuristic detections are much more complex. Many different tests can be done under this method, but the general idea is that they all try to sandbox the file in question and see what it does. If the file under test does something dangerous, such as trying to access a sensitive service, then it will be flagged as dangerous. This works similarly to static detections where behavior is checked against a list of known bad behaviors.
Defeating Anti-malware
Once someone knows how malware works, they can start understanding how it is possible to defeat it. It will rarely be sufficient to bypass one aspect of an anti-malware program, meaning the attacker must know how to avoid every part of the detection. Hackers must also understand how the specific service in question works to avoid being caught by it more effectively. Detections evolve rapidly, so only cutting-edge techniques will work.
The bypasses can be as simple as modifying detected strings for static or signature-based detections. Changing function names and removing code comments can often effectively bypass this aspect of anti-malware. Even many tools available will obfuscate code to make it more difficult to understand, possibly evading detection. Simple obfuscations may not always work, as the anti-malware service may attempt to deobfuscate strings. It can be worth completely renaming detected strings to go around this.
Heuristic detections are more complicated to bypass. There are only so many ways to pull off a certain attack, so it can be difficult to modify behavior to the point where it is no longer detected. In this case, trying to trick the sandbox environment that runs the malware can be more effective. Advanced malware often has detections in place to know if it is in a sandbox by abusing certain limitations in the virtual environments. The code can be modified not to do anything suspicious if it believes it is in a sandbox, which may bypass heuristic detections.
Another option that attackers frequently pursue is simply abusing intended functionality instead of using malware. This is especially effective in larger networks, such as an active directory network. Hackers can bypass the need for malware by attacking poorly configured services, tools, and accounts to gain the access needed for their end goals. It is important to remember that if an attacker can get high enough levels of access, they may be able to turn off anti-malware altogether.
Even without disabling anti-malware, attackers can make direct calls to certain services that might be helpful for them. It is also common for attackers to simply abuse human tendencies to leave files with sensitive information or credentials out in the open. When they can do this, it will raise far fewer alarms than using malware that runs the risk of them being caught. Defenders should always remember that anti-malware is only one part of comprehensive security.
Meet Your Security Goals With Blue Goat Cyber
Even the best anti-malware systems can be defeated if defenders are not careful. That’s why we are here to help. Blue Goat can help you identify any weak points in your security and work with your team to build a better defensive posture. Contact us to find the right solution for you.