You are on page 1of 3

ANTI-VIRUS EVASION It is not just an anti-virus product which will help protect the corporate as well

as the end users to prevent against malicious program attacks and viruses but rather what is most important is the general user awareness about such risks and general responsibility toward defending against such attacks. It is important to educate various kinds of computer users in the simplest of ways to deal with viruses and worms and defend against such malicious attacks where the AV engine becomes helpless when special techniques are used by these malicious codes to prevent or evade detection. Some of the techniques used in AV Evasion by the malicious codes are:  Use of Binders and Packers: Binders are used to bind two or more

EXE files into one single EXE file. It usually binds other EXE files to itself and generates a new binary.

the malicious binary is compressed before it gets embedded to the packer's binary to generate the final EXE.PKLite.This is how viruses or worms can be hidden using binders and can get past undetected by most anti-virus software products.ExeMaker.AS0pack. Packers or Compressors work in a similar way to the binder and the only difference between them is that in the case of packers. One such tool called 'EXECryptor' does this kind of Code obfuscation. In the case of 'Code Morphing' .Trojan Man etc.Petite etc. which in turn can easily evade any static anti-virus product. A few good binders available on the internet are Infector v2. This kind of code obfuscation undergoes several transformations which are nondeterministic and destroys the visible logical code structure and hence it not only prevents detection by anti-viruses but also prevents disassembling or debugging by tools like SoftIce and IDAPro etc. . Since the original signature of the malicious code gets shifted to a different offset in the newly generated binary . Polymorphism. Here the signature changes because of the compression which renders the AV helpless in detection. the malicious code is encrypted and a small routine is embedded to decrypt the code before running the malicious code .  Code Obfuscation: Code obfuscation is a process where the binary of the malicious program undergoes various transformations like Code Morphing. Metamorphism etc. Few good packers available on the internet are Shrinker.Exe-Joiner.

This can aid malicious users in spreading the malicious programs across the internet and get past anti-virus gateways undetected.scr) into vbs file and on execution of the vbs file the hidden binary file will get executed automatically . . Code Conversion from EXE to Client Side Scripts:These are techniques which can be used to convert an executable or any other file types (ike .pif or .