Randomization of code and binaries for evading AV solutions

An interesting detection evasion technique by a site that serves fake AV has recently been spotted by a Zscaler researcher.

The site’s source code has been randomized so that each time a user visits the site, he is presented with a different fake count of supposedly found malware AND a different malicious binary masking as an AV solution to download.

“The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns,” explains the researcher.

It is also interesting to note that even thought the offered malware changes with each visit and the various files have different MD5 hashes, the size of the malicious binaries is always the same:

All these files have a pretty low detection rate (around 19% on VirusTotal).

“The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code,” concludes the researcher. “Randomization of malicious binaries will also evade good antivirus engines.”