Counter Antivirus (Counter AV) is a tool used by cybercriminals that is designed to evade anti-malware detection. This is done by appointing crypters or programs that can disguise malicious programs from security software.
Counter AV Tools
One method that a cybercriminal does to ensure a successful attack is to encrypt files—either done themselves with encryption tools (e.g. Cyberseal and DataScrambler—priced at US $40 for a three-month license and $85 for a lifetime license, and US $25 to $60 respectively) or outsourced encrypting services. With these, security software won’t be able to uncover the malware before the victim receives it. For instance, a simple keylogger known as HawkEye utilized this method to target small and medium-sized businesses (SMBs) worldwide.
Counter AV Services
Counter AV services provide its customers to check files against anti-malware detection. A crypting service takes the malware and scans it against antivirus tools and software found in the market. The cybercriminal would be able to know how many, if any, can detect the code as malicious. The service then runs a series of encryption routines to render the malware obscure, making virus analysis difficult for researchers, which includes avoiding firewalls and antivirus tools. After this process, the malware is deemed to be undetectable and antivirus-resistant. This is also the reason why some malware can bypass the security measures users and enterprises have set.
Counter AV services claim that they don’t share their scanned samples with antivirus vendors, guaranteeing that cybercriminals can execute their attacks unobstructed and with ample time to finish. Some of the known Counter AV services are NoDistribute (for free), RazorScanner (uses coins as currency), and Scan4You (per scan basis, daily or monthly subscription).
The Trend Micro Russian Underground 2.0 paper has shown that the market price for anti-malware checking services has been steadily dropping for the past years. 2014 more than halved 2011’s US $50 to US $20 fee for daily checking, automatic reuploading, and web checking services.
In November 2015, Trend Micro researchers took part in an investigation and the eventual takedown of sites that offer counter AV.
Several malware types have been archived in our Threat Encyclopedia, including BKDR_BN.311.EDS (with anti-antivirus and firewall ability), GOLD_BUG (a boot sector spawning anti-antivirus virus), WORM_KLEZ.A (with anti-antivirus routine capabilities), and WORM_RBOT.QP (with backdoor capabilities of activating anti-antivirus and anti-firewall software).
How does Trend Micro protect users?
With Counter AV tools and services, the practical preventive measure is to detect the malicious file or activity from the source itself. The Trend Micro Smart Protection Network protects users from malicious programs by restricting compromised attachments, links, and websites before they reach the users. The security solution’s multi-layered defenses collate a wealth of global threat intelligence that track the credibility of files and web pages, effectively blocking malicious traffic before it is triggered in computer systems.