Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures

TL;DR

This paper investigates how evasive Windows malware detects antivirus presence and evaluates countermeasures that create false artifacts to prevent malware from avoiding detection.

Contribution

It identifies techniques malware uses to detect antiviruses and proposes a countermeasure involving false artifacts to improve detection robustness.

Findings

Malware can successfully detect antivirus presence using specific techniques.

Countermeasures with false artifacts can force malware to evade detection.

Evaluation shows improved detection resilience against evasive malware.

Abstract

The perpetual opposition between antiviruses and malware leads both parties to evolve continuously. On the one hand, antiviruses put in place solutions that are more and more sophisticated and propose more complex detection techniques in addition to the classic signature analysis. This sophistication leads antiviruses to leave more traces of their presence on the machine they protect. To remain undetected as long as possible, malware can avoid executing within such environments by hunting down the modifications left by the antiviruses. This paper aims at determining the possibilities for malware to detect the antiviruses and then evaluating the efficiency of these techniques on a panel of antiviruses that are the most used nowadays. We then collect samples showing this kind of behavior and propose to evaluate a countermeasure that creates false artifacts, thus forcing malware to evade.