Protection mechanisms

A few days ago we mentioned the protection mechanism that Sober uses to keep anti-virus programs from detecting it. Such mechanisms are actually fairly common these days.

They are frequently used by adware and adware related Trojans. These techniques have evolved over time and are getting very sophisticated. So antivirus vendors are having to work hard to combat these new methods.

There’s a range of interesting examples.

When some AdWare companies realised that antivirus solutions could easily delete their software, they first resorted to multiple processes guarding each other.
If either process/file is deleted, the other one would automatically respawn it. This technique is still being used in an enhanced form.

Of course there’s the Sober approach: protecting a file in such a manner that it can’t be scanned. For instance, some versions of Trojan-Downloader.Win32.Istbar do this, and have an additional mechanism which aims to prevent the process memory from being scanned.

A version of AdWare.Isearch effectively re-introduced an old technique.
It makes use of a .sys driver which write-protects its files. This means that an antivirus can detect the files, but not delete them. These .sys drivers are also used to hide malware and its activities – resulting in the very popular rootkits.

There are many more examples of ways how malware tries to protect itself. It’s very clear that such techniques are placing pressure on security vendors to push the envelope in detection.

The use of .sys drivers has been increasing over the past few months. We are now at a point where open source IRCBots are also using this functionality to hide their presence in infected systems and this is a very worrying trend.