Antivirus protects us from more and more threats . Hundreds of new threats emerge every day, and the companies that develop these antiviruses are dedicated to collecting them and creating solutions to protect us. However, there are viruses that are more difficult to detect than others, and in some cases some can go months without being detected.
When a virus is detected for the first time , it immediately becomes part of the antivirus manufacturers’ database. By adding it to the database and its code being discoverable, anyone who has it on their computer will be alerted to its presence.
However, what if the antivirus is designed to constantly change its code? These viruses, called metamorphic , can translate, edit and rewrite their own code automatically with each infection, so that the antivirus cannot detect it. In fact, not only does the infection code itself change, but the mutation engine also changes.
To detect this type of malware it is necessary to go a step beyond the signatures used by current antivirus, and use heuristics and analysis techniques based on behaviors. Thus, it is possible to try to identify patterns to be able to detect future and past mutations.
Although with a similar name and purpose, polymorphic viruses are different from metamorphic viruses. While the latter change their code completely, polymorphs change only part of their code, keeping part of their code the same. To perform these transformations, malware typically uses obfuscation techniques and even encryption. Thanks to this, you can keep the identical generation engine, but changing its footprint.
There are other types of infections beyond the classic malware detectable by antivirus, such as zero-day vulnerabilities . These vulnerabilities consist of finding a flaw in the software or hardware of a device that has not been patched. As it is not patched, it is possible to carry out attacks without the system being able to detect it.
There are some zero-day vulnerabilities that are detectable by antivirus if someone tries to use them, but in many cases this is not the case. These types of failures are usually found by performing tests such as buffer overflows, saturating programs until they crash, and it becomes possible to inject malicious code.
Among the malicious code that can be injected is a ransomware that encrypts all the contents of the computer. This was the case, for example, of WannaCry, which, through an unpatched vulnerability in Windows 10, allowed ransomware to be installed on a computer and infect all other devices connected within the same local network.
Zero-day vulnerabilities can lead to rootkit infections. A rootkit is the worst thing we can suffer on a computer. The antivirus is capable of detecting malicious code running on the operating system. But what if the code was closer to the hardware level than the operating system? Well, in that case, the antivirus cannot detect it.
That is a rootkit: a type of malware that has perpetual access to a computer , but remains hidden from the user and has no way of detecting it. Its objective may be to modify the firmware of a device, or to spy on everything that goes through the memory of the user’s computer.
These rootkits can get into the operating system kernel to bypass detection, but they can also reach the lower layers of the computer, such as the BIOS. In those cases, even formatting cannot help us eliminate the threat.
Fortunately, there are more and more rootkit detection mechanisms in antivirus. To this is added that there are mechanisms such as Secure Boot that allow us to protect the entire boot segment of the computer to avoid the execution of malicious code.