The pace of advisories and reports surrounding new zer0day activity seems to be accelerating at an alarming rate in 2013. Growing numbers have been seen in the wild exploiting victims and gaining beachheads within enterprises around the world. Meanwhile, as a noted in a recent New York Times article, which highlighted the statistics of crimeware detection and prevention among the world’s top 45 antivirus engines commercially available, the cyber security industry has been slow to adapt. To illuminate some of the mystery behind some of the tools and techniques that makes executable detections more difficult than they used to be, it helps to examine a small chip off of the proverbial iceberg of evasion techniques to make the topic more digestible.
In the book Hacking Exposed – Malware and Rootkits, my co-authors and I discussed many of these evasion techniques and other tools such as crypters, binders, packers, polymorphism, and several other common methods that bolster the survivability of a malicious executable. Almost all of these tactics are incorporated by persistent threats in order to evade detection by most commercially available antivirus or other security products. To understand these methods and related behaviors, one must first examine the motive behind them.