Very frequently I get asked, “Why didn’t (Insert your favorite AV program here) stop the virus from infecting my computer?” Well, the simple answer is, it was created to bypass it.
People writing exploits know that they must get their virus past Anti-Virus. They also know that most Anti-Virus and intrusion detection programs base protection on signature matching. So they obfuscate their code to bypass it.
At first, hackers found that adding random text strings to the beginning of old, already detected viruses allowed them to bypass scanners. They would actually cut and paste readme.txt files to the beginning of the exploit. Anti-virus makers have figured this out and adjusted their scanning tactics.
Now, most hackers will use an encoding program to modify the exploit code. Several exist, but one of the best I have seen is Shikata_ga_nai. The name comes from a Japanese phrase that literally means “Nothing can be done about it.”
These take the exploit code and modify it so it looks completely different to an anti-virus scanner or an intrusion detection system. Sometimes once through the decoder is not enough to trick a strong scanner, so the programs allow for multiple encoding passes.
I have never seen any anti-virus detect an exploit code that has been passed through Shikata_ga_nai more than twice.
When encoding malware, it is common for a hacker to upload the encoded exploit file to a site like VirusTotal to check it against multiple anti-virus signature bases to see if it would be detected. If the website scanners do not detect the virus, they know they have a pretty good chance of sneaking it past the real thing.
In actuality, many “state of the art” botnets are simply recreations of older ones that have been updated and encoded. Many large corporations have given up depending on anti-virus and intrusion detection systems to stop these threats and instead believe that Network Security Monitoring (NSM) is the answer.
NSM is basically recording all traffic, and looking for suspicious patterns. If you want to learn more, Richard Bejtlich talks about this subject in-depth in his book “The Tao of Network Security Monitoring”. Bejtlich is a security expert, author, presenter and the head of GE’s IT security response team.
Many of the modern advanced threats easily bypass anti-virus and then download other viruses onto your machine. Usually Spammer type viruses. The modern threat creators sometimes actually get paid by spammers to download these additional threats to your system.
This is why you usually don’t get a single virus, but multiple infections when you get a newer virus. And this is why cleaning up viruses in a machine with multiple infections may be a waste of time. Your anti-virus cleaner may not even see the root cause, but the other malware it downloaded.
So when the other ones are cleaned off, the advanced threat checks, sees them missing and simply downloads them again. You could spend hours trying to get these off, and you may never get the root cause.
Most corporate policy nowadays is if your machine gets infected and a single pass of anti-virus cleanup doesn’t get it off, they will just wipe the machine and restore from backup. Some will not even bother with cleanup, seeing that it got past the anti-virus in the first place, and they just wipe and re-install.
Unfortunately, malware has become big business for hackers, Anti-Virus alone cannot protect corporate networks and additional steps must be taken.