Fully Undetectable Malware

Antivirus is designed to discover and stop or quarantine any malicious code running on the host.  Fully undetectable (FUD) malware is designed to evade antivirus products by encrypting or obfuscating the executable malicious code so it doesn’t match up with a signature on the antivirus’ application.

However, malicious code uses stealth techniques that can go far beyond this.  A FUD piece of malware is only useful for as long as it hasn’t been successfully analysed, so the programmers include diversionary tactics in the programs behaviour to specifically make analysis very difficult if not impossible by automated methods.  This can range from completely harmless behaviour when in a virtual machine, to constantly creating and deleting random new files so analysts find it hard to identify its true behaviour.

For as long as the FUD malware is un-detected, it will evade popular antivirus and cyber defence techniques, and therefore be of value to the attacker.  Fortunately for the attacker, antivirus and firewall systems are cross-checking between a list of known threats and what’s actually happening, and they often struggle to identify small changes in an executable file.  For example, “Malware1” and “mAlWaRe1” are not literally the same.

Tools that are designed to build in some of the above techniques into malware have been available for some time online, as well as test sites where you can deploy your newly encrypted malware against popular antivirus systems.  Recently a popular one, reFUD.me, was shut down and two people in England have been arrested on charges related to running the service.

So what can we do to protect ourselves from FUD threats?  Broadly speaking the advice is still the same, keep firewalls and endpoint systems up to date since FUD threats are usually successfully analysed within a few days after being identified and rules-based systems updated shortly after.

Fortunately, FUD threats do not affect the effectiveness of network monitoring systems, as once exploited, each type of malware behaves in broadly the same way.  A network monitoring system such as Perception identifies the unusual and threat like behaviour happening live, rather than detecting the exploit itself, so as long as Trojans are still Trojans and RATs are still RATs, network monitoring systems will work just as well.  Effectively, FUD’s get you through the front door lock but do not stop you detecting the intruder with the internal burglar alarm sensors if you have them.