Why an Anti-Virus Can’t Protect You from All Viruses

Thursday, November 18, 2010

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Very frequently I get asked, “Why didn’t (Insert your favorite AV program here) stop the virus from infecting my computer?”

Well, the simple answer is, it was created to bypass it.

People writing exploits know that they must get their virus past Anti-Virus. They also know that most Anti-Virus and intrusion detection programs base protection on signature matching. So they obfuscate their code to bypass it.

At first, hackers found that adding random text strings to the beginning of old, already detected viruses allowed them to bypass scanners. They would actually cut and paste readme.txt files to the beginning of the exploit. Anti-virus makers have figured this out and adjusted their scanning tactics.

Now, most hackers will use an encoding program to modify the exploit code. Several exist, but one of the best I have seen is Shikata_ga_nai. The name comes from a Japanese phrase that literally means “Nothing can be done about it.”

These take the exploit code and modify it so it looks completely different to an anti-virus scanner or an intrusion detection system. Sometimes once through the decoder is not enough to trick a strong scanner, so the programs allow for multiple encoding passes.

I have never seen any anti-virus detect an exploit code that has been passed through Shikata_ga_nai more than twice.

When encoding malware, it is common for a hacker to upload the encoded exploit file to a site like VirusTotal to check it against multiple anti-virus signature bases to see if it would be detected. If the website scanners do not detect the virus, they know they have a pretty good chance of sneaking it past the real thing.

In actuality, many “state of the art” botnets are simply recreations of older ones that have been updated and encoded. Many large corporations have given up depending on anti-virus and intrusion detection systems to stop these threats and instead believe that Network Security Monitoring (NSM) is the answer.

NSM is basically recording all traffic, and looking for suspicious patterns. If you want to learn more, Richard Bejtlich talks about this subject in-depth in his book “The Tao of Network Security Monitoring”. Bejtlich is a security expert, author, presenter and the head of GE’s IT security response team.

Many of the modern advanced threats easily bypass anti-virus and then download other viruses onto your machine. Usually Spammer type viruses. The modern threat creators sometimes actually get paid by spammers to download these additional threats to your system.

This is why you usually don’t get a single virus, but multiple infections when you get a newer virus. And this is why cleaning up viruses in a machine with multiple infections may be a waste of time. Your anti-virus cleaner may not even see the root cause, but the other malware it downloaded.

So when the other ones are cleaned off, the advanced threat checks, sees them missing and simply downloads them again. You could spend hours trying to get these off, and you may never get the root cause.

Most corporate policy nowadays is if your machine gets infected and a single pass of anti-virus cleanup doesn’t get it off, they will just wipe the machine and restore from backup. Some will not even bother with cleanup, seeing that it got past the anti-virus in the first place, and they just wipe and re-install.

Unfortunately, malware has become big business for hackers, Anti-Virus alone cannot protect corporate networks and additional steps must be taken.

Cross-posted from Cyber Arms

Possibly Related Articles:
21802
Viruses & Malware
Antivirus SPAM Hacking Exploits Network Security
Post Rating I Like this!
Default-avatar
Sarah White Anti-virus is too much of a static solution in a dynamic environment. The network administrators here are now looking into monitoring techniques too. I think anti virus software has stayed in business this long out of "end user fear" and the home user feeding profits into their products. Take that away and the industry might evolve quicker.
1371931422
Default-avatar
Sarah White Anti-virus is too much of a static solution in a dynamic environment. The network administrators here are now looking into monitoring techniques too. I think anti virus software has stayed in business this long out of "end user fear" and the home user feeding profits into their products. Take that away and the industry might evolve quicker.
Sarah White Ottawa
1371931852
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.