McAfee experts have analyzed an interesting Fake AV family

Sep 2, 2013 18:36 GMT  ·  By

Malware developers are constantly struggling to come up with ways to make sure their creations avoid being detected by cyber security solutions. One clever technique has been analyzed by researchers from McAfee.

According to McAfee research scientist Arvind Gowda, a new fake antivirus (Fake AV) variant leverages a clever dynamic loading trick to evade detection.

Dynamic loading is usually utilized to load a library into memory at runtime and it’s done with the aid of the LoadLibrary API. The name of the library the user wants to load is included as an argument in the LoadLibrary code.

Usually, when such techniques are employed by malware authors, antivirus solutions are able to detect them based on both the code and their behavior.

However, experts noticed that in some Fake AV threats, different ways of passing the argument to the LoadLibrary API are utilized.

Additional technical details are available on McAfee’s blog.