Researcher builds malware that can evade detection of most AV products

Aug 5, 2014 10:41 GMT  ·  By

A researcher has found that the code emulation environments in antivirus products have weaknesses that can be leveraged by malware to bypass protection.

Code-emulation is a feature designed for catching malware that still has to be identified and classified by security companies. It consists of simulating suspicious code in a virtual machine and determining whether it is malicious in nature or not.

However, researcher Kyle Adams, chief software architect for Junos Webapp Secure at Juniper Networks, created a piece of malware capable of evading detection of major antivirus products, but it could not escape the code-emulation feature available in the free version of AVG.

He proceeded to reverse-engineer AVG’s feature and managed to find the weak spots that allowed its malware to evade detection.

The researcher will present his findings, along with methods for improving code emulation environments, on Tuesday, July 5, at the BSides Las Vegas conference.

“The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect,” Adams said in the abstract for the conference presentation.

This is not the first finding which proves that antivirus products and their components are vulnerable and can be exploited by attackers.

Joxean Koret from the Singapore-based firm Coseinc made a presentation on the subject at the SysScan 360 conference in Beijing last month, revealing that multiple antivirus products had plenty of weaknesses and they could increase the attack surface on a target computer.

He also talked about how the emulator in a security product could be compromised, since it is the component that unpacks files and scans them in an isolated environment.

An exploitation scenario provided by the security researcher consists in sending a ZIP archive with two files inside, one forcing loading of the emulator and the other being an exploit for this feature.

The purpose of Kyle Adams’ presentation this week is to provide solutions that could lead to improving the security of code emulation environments and better detection of zero-days.

He says that, at this moment, although code emulation technology is “a powerful step in the right direction for client security,” it is far from being mature and needs to grow a lot until its true potential is fully tapped.

Although he picked AVG’s feature to reverse engineer, Adams says that “this is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client.”