Bypassing antivirus detection: old-school malware, new tricks

TL;DR

This paper empirically evaluates how well popular antivirus solutions detect legacy malware that uses common obfuscation techniques, revealing significant detection gaps and exploring ChatGPT's potential role in malware creation.

Contribution

It provides a comprehensive empirical analysis of antivirus detection capabilities against obfuscated malware and investigates ChatGPT's potential to assist in malware development.

Findings

About half of AV engines detected less than half of the malware variants.

Four AVs detected exactly half of the variants.

Two AVs detected nearly all variants.

Abstract

Being on a mushrooming spree since at least 2013, malware can take a large toll on any system. In a perpetual cat-and-mouse chase with defenders, malware writers constantly conjure new methods to hide their code so as to evade detection by security products. In this context, focusing on the MS Windows platform, this work contributes a comprehensive empirical evaluation regarding the detection capacity of popular, off-the-shelf antivirus and endpoint detection and response engines when facing legacy malware obfuscated via more or less uncommon but publicly known methods. Our experiments exploit a blend of seven traditional AV evasion techniques in 16 executables built in C++, Go, and Rust. Furthermore, we conduct an incipient study regarding the ability of the ChatGPT chatbot in assisting threat actors to produce ready-to-use malware. The derived results in terms of detection rate are highly unexpected: approximately half of the 12 tested AV engines were able to detect less than half of the malware variants, four AVs exactly half of the variants, while only two of the rest detected all but one of the variants.