Home / Blog / Malware & Phil

Malware & Phil

Posted on 03/17/2016, by Miguel Herrero (INCIBE)

In the popular Spanish comics series by the great artist and writer Ibáñez, Phil would become angry with Mort and chase him, normally with some disproportionately large weapon in hand, while Mort would run away in one of his many disguises. A scenario like the one above happens time and again in our operating systems, except that the malware is the character that puts on a disguise to run away from the antivirus, running rampant through our operating systems.

Recently, malware programmers have developed different techniques that have drastically reduced the efficiency of antiviruses (AV) and other defence applications, thus preventing them from detecting the malware in many cases.



Antivirus software normally uses different techniques to identify the malware. Among the most widely used techniques are the following:

  • Digital signature: Comparison of the file against the signature databases (hashes) of known malware. If the hash matches up, the AV can be sure that it is a recognised malware sample. This method requires very frequent updates to the database and its effectiveness relies upon the malware that has been analysed by the AV manufacturer as well as whether it has been modified. This protection could protect against well-known malware, but it is not effective against malware that is "fresh out of the oven".
  • Heuristic detection: A search for known malicious sections of code within the suspicious files by assigning probabilities for how often a code appears in samples of malware already confirmed as such. This technique is more advanced than the digital signature method and allows for the detection of malware mutations and variations.
  • 94467">· Behaviour-based detection: This technique is similar to heuristic detection, but rather than looking for sections of code, behaviour-based detection searches for known malicious behaviour. This is a reactive detection technique as it can only work once the malware has been executed.
  • Controlled execution in sandbox: The software is run on a virtual machine and the status of the virtual machine before execution is compared to its status after execution. Files and processes are checked to see which ones have been altered, and the results determine whether the file is malicious.
  • Data mining methods: this is one of the most modern techniques. It uses data mining algorithms and learning algorithms to classify the behaviour of a suspicious executable by looking at some of its features rather than at the file itself.

Slipping past these methods undetected is reasonably straightforward with modern AV evasion techniques. Some of these techniques are as follows:

Techniques that affect the victim’s AV: Some of the strategies for bypassing the victim’s AV protection involve exploiting the vulnerabilities of the AV and silently manipulating it in order to run the malware. There are different techniques such as deactivation of the antivirus or incorporation of the malware into the list of processes allowed by the AV. There are also more radical techniques such as directly attacking the AV engine just as Joxean Koret warns in this comprehensive lecture. A drawback of this technique is that it relies on the system where it is going to run the malware.

Blocking the antivirus: Modern operating systems (OS) have a digital signature system for checking the source of the software being run. This way, it is possible to verify the authenticity of this software. There is malware (for example the adware Vonteera) that adds the certificates belonging to the most common AV (AVG, Avast, BitDefender, Panda…) to the Untrusted Certificates folder so that the OS will refuse to run or update the AV, effectively deactivating it.

Timing and Detection of virtual environments: Malware analysis sandboxes are increasingly widespread, and some samples of malware simply wait for a few minutes after being activated for the sandbox to time out, at which point the malware is classified as benign since no malicious behaviour was detected. Additionally, some samples are capable of detecting when they are being run in a virtual environment, in which case they do not do anything. It is possible to turn the tables on this technique in such a way that the malware thinks that our machine is actually a virtual environment, or by falsifying the verifications made by the malware so that it is run in the virtual environment using tools like Pafish.

Destroying the hard drive: You heard right. Some malware samples such as Rombertik try to destroy the MBR along with other directories, thus causing the victim’s machine to go into an endless restart loop if the malware notices the presence of detection tools on the machine. This way, the malware dodges detection (ok, the malware will not be able to fulfil its function, but the victim has now lost their hard drive). Rombertik is a malware that has several of these evasion techniques. You can read more about it in Cisco’s Blog or in the following image.


Code encryption: Its name says it all. A part of the code is encrypted, thus making it so that only the malware that knows the encryption key will be able to run its own code, thus avoiding detection by AV engines.

Code obfuscation: This is the most common technique and is usually found along with code encryption. It involves making the code unreadable, thus preventing it from being reverse engineered or detected by antivirus engines, logically. Basically, it converts an M code into another M’ code while maintaining its behaviour without compromising on functionality. Some malware samples go even further and obfuscate the entire code using mechanisms called packers; as a result, only a part of the code is accessible and the malware is unpacked in real time. This technique is combined with the detection of virtual environments in order to avoid unpacking the malware in a sandbox environment, thus making it even more difficult to be detected.

Code obfuscation has several versions -including polymorphisms and metamorphisms- in addition to a wide variety of mechanisms for carrying out obfuscation without compromising on functionality, but that is a story for another day.