· 3 min read
How hackers bypass antivirus
Sandbox detection, behaviour modification, logic bombs, and zero day attacks. How hackers and malware ignore your AV.
Hackers know these techniques, you should too.
As cyber threats become more sophisticated, it is important to understand the different techniques attackers can use to evade detection. In this article, we will discuss four different techniques which can be used to evade detection: detecting simulation software, only activating under certain conditions, through a zero day attack, and through fileless malware.
- Detecting simulation software: Similar to how a major car manufacturer can reduce emissions during an emissions test, malware can detect when it is being tested in a sandbox and can adjust its behavior accordingly. This can be done by recognizing an IP address associated with an antivirus company or detecting that company’s particular registry keys. Malware can also choose not to check for sandboxing and employ simple and advanced techniques such as “stalling” to delay activation until a certain period of time has passed, this leverages the real-life shortcoming of sandboxes, as their analysis time is inherentely limited by the end user’s patience.
- Only activating under a certain condition: Malware can be configured to only activate in certain environments, such as attacking a specific browser version, or when a certain condition is met, such as a logic bomb attack, which may involve waiting for a certain time of day, or geographic location, or waiting for a specific trigger word to be typed.
- Through a Zero Day Attack: Zero Day Attacks leverage zero day vulnerabilities, that is, vulnerabilities only known to the attacker, thus which are very difficult to defend against. Some defenses exist, but are marred by a high number of false positives.
- Through Fileless Malware: Fileless Malware utilizes existing and legitimate Windows files such as binaries, libraries, and scripts and are difficult for current AV systems to detect due to their hiding in memory and not writing files to disk. Fileless Malware runs from system memory, ignoring the actual file system and able to create a virtual file system on the fly and executing malicious code without writing any files to the hard drive. This type of malware is particularly dangerous because it is capable of bypassing traditional security measures such as antivirus and firewalls, increasing the risk of a successful attack.
This article discusses four techniques which attackers can use to evade detection: detecting simulation software, only activating under certain conditions, through a zero day attack, and through fileless malware. It explains how malware can detect when it is being tested in a sandbox, as well as how it can be configured to only activate in certain environments or when a certain condition is met. It also covers zero day attacks, which leverage zero day vulnerabilities, and fileless malware, which can bypass traditional security measures.
