How does malware get past security software?

Malicious software, or malware, is any software that causes damage to a computer system. Malware can take the shape of worms, viruses, trojans, spyware, adware, and rootkits, among other things, and can steal confidential information, erase documents, or install software that has not been allowed by the user.

How Does Malware Get Past Security Software?

Malware takes advantage of security flaws (bugs or vulnerabilities) in the operating system's design and applications (such as older versions of Microsoft Internet Explorer supported by Windows XP) and susceptible versions of browser plugins. Even installing new versions of such plugins does not always result in the removal of older versions.

Plugin suppliers' security advisories announce security-related upgrades. The National Vulnerability Database in the United States assigns CVE IDs to common vulnerabilities. Free software like Secunia PSI examines a machine for vulnerable out-of-date software and attempts to update it.

Malware writers look for flaws or faults to exploit. A popular way is to use a buffer overrun vulnerability, which occurs when software meant to store data in a specific memory region fails to prevent more data from being supplied than the buffer can handle.

Malware may send data that overflows the buffer and includes harmful executable code or data at the end. When this payload is retrieved, it performs whatever the attacker, not the legitimate software, wants. Anti-malware software is becoming more dangerous to malware detection.

User Mistakes or Insecure Design

Floppy discs were used to start early PCs. When built-in hard drives became popular, the operating system was typically started from them, but it was possible to boot from a floppy disc, CD-ROM, DVD-ROM, USB flash drive, or network if one was available. When one of these devices was accessible, setting the computer to boot from it was typical. Usually, none would be available; instead, the user would purposefully place a CD into the optical drive, for example, to boot the computer in a unique method, such as to install an operating system. Computers can be programmed to run software on specific media when it becomes accessible, even if they are not booted.

The user would be tricked into booting or operating from an infected device or medium by malware distributors. A virus, for example, may make any USB stick inserted into an infected computer add auto-runnable code. Anyone who then connected the stick to a computer set to autorun from USB became infected and spread the infection in the same way.

Same OS Used Again

Suppose all computers in a network run the same operating system, for example. In that case, one worm can take advantage of them. All Microsoft Windows and Mac OS X, in particular, have such a significant market share that an exploited vulnerability focusing on either operating system might compromise a significant number of systems. In the short term, introducing diversity just for the sake of robustness, such as adding Linux systems, may increase training and maintenance costs.

Signature Change

Viruses that change their signature can sneak past signature-based virus scanners. This is known as polymorphic malware, and it works by changing some of the virus's code as it spreads. Even a minor code update that has no effect on the virus's functionality is enough to alter the signature and prevent antivirus software from recognizing it. The malware has an encryption generator, which generates various encryption techniques. The various encryption operations then encrypt and decrypt additional functions — the ones that damage the code and effectively tamper it.

New Method to Bypass Antivirus

The preceding approaches rely on obtaining a file onto the target machine and then executing it. There's a newer technique of operating malware on a computer that doesn't require anything to be saved on the target computer.

This sort of malware runs entirely in the memory of the computer, obviating the need for antivirus software. The malware is not sent directly from the infected webpage. Instead, it directs the machine to download the malware to a memory location by exploiting a previously known weakness in a related program. The memory region is then executed, just like the other malware variants.