How Malware Writers Cheat AV Zero-Day Detection

A researcher reverse engineers AVGs code emulation engine after easily bypassing other major antivirus software products.

As an experiment, Kyle Adams wrote what he describes as
ridiculously obvious
malware that most major antivirus products ultimately failed to detect. The only AV product that caught his malware was the freebie AVG, whose code-emulation feature sniffed it out.
So Adams, chief software architect for Junos Webapp Secure at Juniper Networks, kicked it up a notch and reverse engineered AVGs code emulation engine. Then he was able to bypass AVGs engine, as well, but he also noticed what attackers could do in that situatoin. On Tuesday, Aug. 5, at BSides Las Vegas, Adams will demonstrate how he cheated various AV products and how AVs code emulation feature for catching zero-day exploits has some weaknesses of its own.
You start to realize things [the engines] cant handle, and if you explore them, you start to uncover compromises they didnt recognize, Adams says. However, I didnt find anything that let me compromise the [code emulation engine] simply by [having the malware] scanned.
He plans to expose some of the engine weaknesses and name some of the major AV products his malware cheated in the first phase of his experiment. If you know how the engine works, you can get around it.
His research shows that code emulation needs to be improved in AV products. In some aspects, how code emulation works could be grounds for new exploits.
Adams says hes definitely not the first person to cheat an AV engine -- bad guys do it regularly -- but he wants to educate the security community on the problem. Id like to show how the malware authors approach the problem. Im going to show building a virus from scratch… and testing it against the AV products like attackers do as they try to figure out how not to get detected.
His research shows that code emulation and sandboxing arent really working anymore. Now you can start to attack code emulators and sandboxes themselves. At least 10% of attacks are attempting this today.
The malware Adams wrote and will demonstrate is a command-and-control bot. The JavaScript malcode he wrote runs on Windows. It could be put together by anyone.
What can AV vendors do to beef up their code emulation? For one thing, they should start penetration-testing their own AV software.
Adams will propose other solutions for improving code emulation. And he says hes definitely not picking on AVG, which he tried to contact before his presentation. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client, he wrote in an abstract for his BSides talk.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Malware Writers Cheat AV Zero-Day Detection