Hackers know that most users will be running some type of anti-virus program. Yes, many times the anti-virus is not up to date, but what if it is? The bad guys will take a piece of known malware and modify it to fit their needs. Then, knowing that an anti-virus signature scan may pick it up, they obfuscate the code by running it through a special program.
They now have an obfuscated binary file. But did it work? Will it bypass anti-virus detection? Many times, the evil hacker will take this file and upload it to a website that checks for viruses. Sites like Virus Total will check uploaded files against about 40 current anti-virus programs. If it comes back as undetected or a low detection rate, they release it.
Pretty scary, but this tactic has been known for years. Even ethical penetration testers use this technique when trying to inject a remote shell into a network for security testing. Unfortunately it is possible to get infected with a virus, even though your anti-virus is running and up to date.
But it looks like this obfuscation step may no longer be needed. According to an article on The Register, security researchers from Matousec.com have found that most current anti-virus programs are vulnerable to a System Service Descriptor Table attack.
Basically what this means is that when a malicious file is being scanned, it can offer garbage code up to the scanner, then switch it with the malicious code:
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.
How effective could this be in a real attack? H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message:
“Realistic scenario: someone uses McAfee or another affected product to secure their desktops, a malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot.”
This is why it is imperative to have your Operating System security updates current and to use intrusion detection systems and network system monitoring and not rely on anti-virus protection alone to protect your network. For more information see The Register.