As exposed in an article published a short while ago, on the 6 need-to-know attributes of advanced cyber attacks, one of the main ways in which second generation malware is challenging the security industry is its capacity to evade detection.

Malware authors are not only trying to outdo themselves, but also keep one step ahead of the cyber security industry. What makes them successful is that they have the resources (especially the time) to test version after version, and to incrementally enhance their tactics up to the point where malware can infect a system and go undetected for months.

There’s no reason to sugarcoat this: cyber security specialists are struggling and sometimes it makes it complicated for users to build their cyber defenses, because of the multiple fronts they need to cover. But the experts are aware of the challenges and they’re working to come up with new, more effective methods for cyber protection. This is especially important since there is no such thing as a panacea when protecting online assets.

malware 2

Detection is a significant problem, for both organizations and individuals, although you may not view this as a key issue at the moment. Antivirus products have already fallen behind in terms of effectiveness, because they lack the ability to spot and remove second generation malware.

This specific example can help you get a better idea of where antivirus stands in terms of detection: it takes about two days for an antivirus product to spot the malicious Angler payload. In these two days, plenty of things can happen, from harvesting your financial information (online banking credentials, usernames and passwords, etc.) to encrypting your information via a ransomware infection. Two days it too much and reactive protection is not enough.

time to detection for angler cisco msr 2015

Source: Cisco Midyear Security Report 2015

But you may ask: why does that happen?

How second generation malware evades detection

You may see cyber criminals like lonely guys that sit behind their computers all day, scheming world domination. It’s partly true, but what you don’t see is that malware creators operate large businesses and employ professional developers to make sure they can find new tactics to maintain their attacks covert, while also building a profitable business.

The Cisco Midyear Security Report 2015 goes to show just how much the cyber crime market has evolved:

Many ransomware operations also have development teams that monitor updates from antivirus providers so that the authors know when a variant has been detected and it’s time to change techniques. Adversaries rely on the cryptocurrency bitcoin for payments, so transactions are more difficult for law enforcement to trace. And to maintain a good reputation in the marketplace—that is, being known to fulfill their promise to give users access to their encrypted files after the payment has been processed—many ransomware operators have established elaborate customer support operations.

But in order to achieve this level of business sophistication, cyber criminals first have to make their malware capable of infiltrating systems without triggering any security alarms.

The longer malware lingers in a system, the more confidential information it can gather and the more damage it can do. That’s why malicious actors make this a priority when developing new forms of malware. And they sure don’t lack creativity!

Here are some of the ways in which present day malware circumvents security systems in both companies and on private users’ PCs:

1. Destroying your hard drive

This example explains how data wiping malware behaves:

After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer.
Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.

MBR is the first sector of a computer’s hard drive that the system looks for before loading the operating system. However, deleting or destroying MBR involves re-installing of operating system, which means valuable data is lost.

In cases where the malware is under the microscope of security experts or any rival malware author, Rombertik will self-destruct itself, taking the contents of a victim’s hard drive along with it.

As you can see, malware creators will stop at nothing while pursuing their malicious objectives. Unless they need your data, they will destroy it. They might even still destroy your data after capturing it and storing it on their servers, so there’s no guarantee as to what will happen once your PC is infected.

2. Keeping itself from being sandboxed

When traditional antivirus programs spot a potentially harmful file on your PC, they will immediately sandbox it. This method allows the AV product to execute the untrusted code or program that comes from unverified third parties, unknown suppliers, untrusted users and potentially harmful websites in a restricted environment, in order not to allow the code or program to infect the PC.

What malware creators do is to find ways to avoid this, for example by blending the malware with millions of sample files to confuse the AV’s methodology. This way, the malware infection will deflect the antivirus’s attempt to spot, block or remove it.

There is also another set of tactics that malware creators use to avoid AV detection. Since the sandbox is a virtual environment, cyber criminals equip malware strains with the ability to detect sandboxing mechanisms by checking registry entries, the PC’s video or mouse capabilities, certain ports or processes and more.

When malware detects that it’s running in a virtual environment (sandbox) it will stop its activity, so antivirus products may conclude that it’s a safe file and just let it pass. It may sound complicated, but this happens all the time.

hidden malware

3. “Domain shadowing”

It’s essential for cyber criminals to be able to hide the exploits and communication between the payload and the servers they control, and for that they need a vast number of URLs they can use and discard.

This is why they use “domain shadowing”, a technique well depicted in the Cisco Midyear Security Report 2015:

Exploit kit authors compromise a domain name registrant’s account, and then register a subdomain under the legitimate domain of the compromised user. Unless users review their account information, they will not know these subdomains exist. The subdomains point at malicious servers. They are very high volume, short-lived, and random, so they’re difficult to block.

Moreover, Angler exploit kit seems to be one of the most actively involved in this particular evasion technique:

Domain shadowing is not new, but the use of this technique has been increasing since December 2014. According to our research, more than 75% of known subdomain activity by exploit kit authors since that time can be attributed to Angler. The exploit kit serves a range of malicious payloads, including the ransomware Trojan Cryptowall, through file exploits.

4. The Fast Flux technique

In order to make detection more difficult, malware creators will often use more than one evasion technique. Fast Flux is a commonly used method by which cyber criminals use a huge amount of IP addresses that are associated with a single, fully qualified domain name.

They then swap the IP addresses constantly and with high frequency by changing DNS records, so that automated analysis mechanisms cannot detect the real source of the infection.

Fast Flux is usually used by botnets (networks of Internet-connected PCs that have been compromised to deliver attacks to other computers, without their owners knowing it) to hide phishing campaigns, malware-loaded websites and other infection sources targeting a large group of users.

While this method is not new either, it still persists among the tools of choice for malicious actors worldwide.

5. Using encrypted payloads

Encryption is a great safeguard for data privacy and even data security, but it can cause serious headaches when used by cyber criminals.

For example, when a malware creator decides to encrypt the payload used to infect victims’ PCs, this will delay detection by antivirus products and buy more time to deploy the malware, which can range from data harvesting to ransomware.

Encrypted payloads are usually identified retrospectively, which makes it easy for malware to take over the victim’s system until reactive protection mechanisms kick in.

6. Polymorphic behavior

Encryption is not the only deceiving technique that makes malware difficult to spot. Cyber criminals rely on their ability to move faster than security vendors, so they rely on other tactics, such as changing file names and file compression.

These changes will not affect the function of the malware, but it will increase its covertness.

how dyrezac evades detection cisco msr 2015
Source: Cisco Midyear Security Report 2015

7. Using literature to hide exploit kits

What does old literature have to do with cyber crime?
This may sound difficult to believe, but, according to Cisco Midyear Security Report 2015:

Some exploit kit authors are looking to early 19th-century literature to help conceal their 21stcentury threats. Specifically, some adversaries are incorporating text from Jane Austen’s Sense and Sensibility into web landing pages that host their exploit kits.

Adding passages of classic text to an exploit kit landing page is a more effective obfuscation technique than the traditional approach of using random text. The use of text from more contemporary works such as magazines and blogs is another effective strategy. Antivirus and other security solutions are more likely to categorize the webpage as legitimate after “reading” such text.

For users, encountering unexpected references to beloved Austen characters such as Elinor Dashwood and Mrs. Jennings on a webpage may be perplexing but not a cause for immediate concern. But their lack of unease gives adversaries more opportunity to launch their exploits.

The use of known works instead of random text is just one example of how threat actors are evolving their schemes to avoid detection.

8. Using Tor and the Invisible Internet Project (I2P)

Tor is well known for its use by Internet users who want to hide their traffic for various reasons, both good (cyber security research) and bad (cyber crime). So it’s no wonder that malware creators employ this anonymity network to conceal their communication, for example the information exchange between a payload and a malicious server.

According to Cisco’s Midyear Security Report 2015, these are the malware families that most often use Tor in their distribution and multiplication:

malware families using tor for communication

Moreover, I2P or the Invisible Internet Project, is used for the same purposes, but also includes functions such as chat, blogging and file transfers that are pseudonymous and secure. This is an example of a darknet, “an overlay network that can only be accessed with specific software, configurations, or authorization, often using non-standard communications protocols and ports.” (Source.)

9. Using Microsoft Macros

Microsoft macros is a notorious infection vector that cyber criminals have been using for years and years, but it’s still not out of fashion. Microsoft may have blocked macros from running automatically, but it can’t protect users from social engineering.

Persuading users to run macros themselves required skill and more time than automated attacks, but it can bring in more effective results and worse consequences for the victim. In order to make sure that they stay below the radar, malicious actors will change the threats very fast and very often, forcing detection mechanisms to start over and over again.

Dridex, one of the most dangerous types of banking malware, leverages Microsoft macros to infect users’ systems. Here are some relevant details about how it does the job, extracted from Cisco’s aforementioned report:

Our researchers noticed that the spam campaigns carrying the Dridex payload tended to be very short-lived—perhaps just a few hours long—and that they also mutated frequently, as an evasion tactic. While antivirus solutions perform useful security functions, they are not well suited to detecting these short-lived spam campaigns. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, and refers. They then launch the campaign again, forcing antivirus systems to detect them anew.

10. Remaining dormant

This type of evasion is timing-based, meaning that the malware strain will only run or monitor the user’s actions when the system if most vulnerable. This can happen, for example, during the boot process. In the rest of the time, the malware can remain dormant, thus going undetected by traditional security solutions.

How to protect yourself form undetectable malware

You may not see it, but it’s there. Malware threats are pervasive and difficult to spot, some even to the keenest and well trained eye. All the evasion tactics described above trigger very low detection scores in antivirus products, so you have to do just a bit more to stay safe online.

First of all, try to change your mindset from a reactive-based model to a prevention-oriented one.

Second, keep in mind that prevention means a couple of basic things:

  • keeping your software up to date, including your operating system
  • using the right cyber security tools to filter web traffic and block potential threats, thus considerably lowering the chances for infection
  • avoiding dangerous web locations, such as torrent websites, shady banners or other types of websites that don’t look trustworthy. If you wouldn’t walk on dangerous streets at night, you shouldn’t browse these websites either.
  • educating yourself to detect potential cyber attacks delivered via phishing emails, infected banners, spam emails, social engineering attempts and more. If you taught your kids not to talk to strangers, why would you reply to an email from someone you don’t know or click on an email attachment just because someone instructed you to?

Cyber criminals already have a head start. Don’t let them get to you before you know how to protect yourself.

blocked by heimdal security


Malware creators are aware that most users rely on antivirus to protect themselves and they are also very knowledgeable when it comes to how they can evade detection. They move fast and have the necessary resources to not only reach their objectives, but also challenge traditional security products to start from scratch with each new malicious campaign they launch.

Reactive security is no longer enough. We don’t recommend you give up using antivirus, we just urge you to consider adding other security layers if you want to fend off cyber attacks. Proactive protection is essential and will become crucial in the coming years, for organizations and home users alike. If you get into the right mindset now, you’ll be able to cope with change much better than those who believe that cyber security doesn’t concern them.

The first step can be to try to visualize the tactics that cyber criminals use in order to keep their cyber attacks covert for as long as possible, exposing your system to a huge array of threats and potential negative consequences. The second step – you already know what it is!

Why Your Traditional Antivirus Can’t Detect Second Generation Malware

Share this Image On Your Site


[…] If you’re keen on reading more about why your antivirus has trouble detecting ransomware and other advanced malware, we actually created a guide on that exact topic. […]

[…] doesn’t protect your 100% from encrypting ransomware. Heimdal Security wrote an interesting article explaining why so much ransomware is getting past the anti-virus software. Still, good antivirus is […]

[…] doesn’t protect your 100% from encrypting ransomware. Heimdal Security wrote an interesting article explaining why so much ransomware is getting past the anti-virus software. Still, good antivirus is […]

[…] programs will have a hard time finding an advanced rootkit, so your best bet is to use a specialized rootkit revealer or […]

[…] 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware [Infographic] […]

[…] Second generation malware, such as strong ransomware strains (e.g. Cerber), uses a variety of mechanism to evade antivirus detection. We actually explained some of them in this guide. […]

[…] used to be the go-to solution, but it’s not enough nowadays. There are a number of reasons why antivirus has difficulties detecting 2nd generation malware and you should know why this […]

[…] are just a few of the reasons why antivirus isn’t can’t detect the most modern forms of […]

[…] with their antivirus (often a free one) is enough. A much-needed wake-up call is in order here: antivirus often doesn’t detect 2nd generation malware. This means you’ll probably persuade yourself into a malware infection without even knowing it. […]

[…] your Internet connection to download the latest version of the actual malware used in the attack. Signature-bases antivirus protection is futile in this […]

[…] and if you did get infected with malware, you most likely won’t notice. Second-generation malware, which roams the Internet today, is incredibly stealthy and damaging. It […]

[…] regular user, DNS cache poisoning/spoofing is difficult to detect, especially if the attacker uses second-generation malware, which is both stealthy and […]

[…] If you’re keen on reading more about why your antivirus has trouble detecting ransomware and other advanced malware, we actually created a guide on that exact topic. […]

[…] and more aggressive threats. Because antivirus is no longer enough for your protection (because of these reasons). Because no solution can guarantee 100% […]

[…] your security system with a traffic filtering software that works in a proactive way and blocks second generation malware (such as ransomware attacks). And yes, Heimdal is that kind of a […]

[…] Use a reliable security solution from a trusted company. To keep your system safe from the latest threats, the software should include a real-time traffic scanning engine. This ensures that every connection to and from the Internet is scanned for threats. Start with an antivirus, but don’t forget that it, too, is not enough. […]

[…] new type of malware now has the ability to change and disguise itself, hiding from antivirus […]

[…] or financial malware. There are a couple of strong reasons why this is happening, and you should read about them, so you can enhance your protection by adding multiple […]

[…] Severe malware usually morphs and has a very low detection score, so antivirus solutions can’t detect it. […]

[…] Make sure your PC is up to date on antivirus, patches and a second layer of security (find out why antivirus is not enough). […]

[…] morphing viruses such as Zeus that means a low detection rate, because the signature and MD5 hash changes all the time. This is also why Zeus is effectively able […]

[…] 3. Use a solution to detect second generation malware. […]

[…] and, frankly, 99% of Internet users wouldn’t be able to spot it with their naked eye. Heck, sometimes even antivirus can’t spot certain malware infections, such as […]

[…] cyber criminals have developed new and sophisticated ways of avoiding antivirus detection. This means new types of malware and new attack […]

[…] Recommended reading to help you understand how this works: 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware [Infographic] […]

[…] to protect your business now from the growing threat of ransomware attacks. The latest variants can sneak past your antivirus system, and they’re targeting not just your data files but also your […]

[…] Remember that a traditional antivirus is not enough. You’ll also need an extra layer of protection, that will detect second generation malware. […]

[…] Employ a specialized tool against financial stealing malware and ransomware threats that can detect and block attacks like the one involving Cryptolocker2, which traditional antivirus has a very difficult time detecting […]

[…] Read on about Rombertik, the malware that “goes on the offensive to cause harm” and avoid sandboxing, potentially inspiring other malware creators to follow suit. And it’s not the only tactic that second generation malware is using to avoid being picked up by traditional antivirus products. There are at least 9 more. […]

[…] Employ a specialized tool against financial stealing malware and ransomware threats that can detect and block attacks like the one involving Cryptolocker2, which traditional antivirus has a very difficult time detecting […]

[…] Read on about Rombertik, the malware that “goes on the offensive to cause harm” and avoid sandboxing, potentially inspiring other malware creators to follow suit. And it’s not the only tactic that second generation malware is using to avoid being picked up by traditional antivirus products. There are at least 9 more. […]

[…] articles that everyone can understand. It’s exactly what we did this week when we exposed 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware. And we did the same today, when we shared how the latest spam campaign that deploys CryptoWall 3.0 […]

[…] use in order to make their infections and infection vectors capable of evading detection. These 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware may help you better understand how malware infections happen and, consequently, enable you to get […]

Leave a Reply

Your email address will not be published. Required fields are marked *