Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures
This addresses the problem of malware evasion for antivirus developers, presenting an incremental approach to improving detection and countermeasures.
The paper investigates how malware can detect antiviruses by identifying their traces on a system, and evaluates the effectiveness of these evasion techniques against widely used antiviruses, proposing a countermeasure that creates false artifacts to force malware evasion.
The perpetual opposition between antiviruses and malware leads both parties to evolve continuously. On the one hand, antiviruses put in place solutions that are more and more sophisticated and propose more complex detection techniques in addition to the classic signature analysis. This sophistication leads antiviruses to leave more traces of their presence on the machine they protect. To remain undetected as long as possible, malware can avoid executing within such environments by hunting down the modifications left by the antiviruses. This paper aims at determining the possibilities for malware to detect the antiviruses and then evaluating the efficiency of these techniques on a panel of antiviruses that are the most used nowadays. We then collect samples showing this kind of behavior and propose to evaluate a countermeasure that creates false artifacts, thus forcing malware to evade.