Research

Protection mechanisms

A few days ago we mentioned the protection mechanism that Sober uses to keep anti-virus programs from detecting it. Such mechanisms are actually fairly common these days.

They are frequently used by adware and adware related Trojans. These techniques have evolved over time and are getting very sophisticated. So antivirus vendors are having to work hard to combat these new methods.

There’s a range of interesting examples.

When some AdWare companies realised that antivirus solutions could easily delete their software, they first resorted to multiple processes guarding each other.
If either process/file is deleted, the other one would automatically respawn it. This technique is still being used in an enhanced form.

Of course there’s the Sober approach: protecting a file in such a manner that it can’t be scanned. For instance, some versions of Trojan-Downloader.Win32.Istbar do this, and have an additional mechanism which aims to prevent the process memory from being scanned.

A version of AdWare.Isearch effectively re-introduced an old technique.
It makes use of a .sys driver which write-protects its files. This means that an antivirus can detect the files, but not delete them. These .sys drivers are also used to hide malware and its activities – resulting in the very popular rootkits.

There are many more examples of ways how malware tries to protect itself. It’s very clear that such techniques are placing pressure on security vendors to push the envelope in detection.

The use of .sys drivers has been increasing over the past few months. We are now at a point where open source IRCBots are also using this functionality to hide their presence in infected systems and this is a very worrying trend.

Protection mechanisms

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox