Design, Implementation and Evaluation of
a Novel Anti-Virus Parasitic Malware
Byungho Min
Advanced Cyber Security Research Centre
Macquarie University, Sydney, Australia
{byungho.min, vijay.varadharajan}@mq.edu.au
ABSTRACT
In this paper, we propose an advanced malware, anti-virus
parasitic malware (AV-Parmware). It attacks protected com-
ponents of anti-virus software by their exploiting security
weaknesses, and compromises the target systems by being
a parasite on the anti-virus. We have investigated 18 anti-
virus solutions from seven major anti-virus software ven-
dors and have discovered that 12 products from four vendors
(AVG, Avira, McAfee, and Symantec) have certain security
weaknesses that can be utilised in the proposed malware1 .
There are several advantages to being an anti-virus parasitic
malware, including longevity (anti-virus runs while its sys-
tem is up), improved stealthy behaviour, highest privileges
and capability to bypass security measures such as Egress
filtering. We have implemented our proposed parasitic mal-
ware, and have shown that all these advantages are achieved
in practice.
Categories and Subject Descriptors
K.6.5 [Management of Computing and Information
Systems]: Security and Protection—Invasive software
General Terms
Security, Experimentation
Keywords
Parasitic Malware, Anti-Virus, Software Components, Vul-
nerability
1. INTRODUCTION
Recent malware trends [19, 20] indicate there is an in-
crease in the instances of malware on the web over the last
few years. It is important for security professionals to be up
to date on the current and future malware threats to be able
1 and describe the advantages and obstacles to anti-virus par-
We are firm believers in responsible disclosure, and have re-
ported the issues disclosed in this paper to the corresponding
vendors.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
SAC’15 April 13-17, 2015, Salamanca, Spain.
Copyright 2015 ACM 978-1-4503-3196-8/15/04...$15.00.
http://dx.doi.org/10.1145/2695664.2695683 ...$15.00.
2127
Vijay Varadharajan
to take appropriate defensive actions to commensurate with
their anticipated risk. Furthermore the malware themselves
are becoming increasingly more sophisticated and evasive.
In order to be able to protect against such sophisticated mal-
ware, we as security professionals need to better understand
how new malware is being designed and embedded into var-
ious systems. Hence in this paper, our aim is first to look at
some new techniques that can be used to develop advanced
malware which can evade existing anti-virus software, and
then develop new defensive mechanisms to counteract them.
From the point of view of malware design, one of the ma-
jor hurdles is to perform its functions without being detected
by anti-virus software. Most anti-virus solutions nowadays
use both signatures and behavioural characteristics to de-
tect malware; they perform static and/or dynamic analy-
sis on files and network traffic. Furthermore, efforts on de-
tecting obfuscated malware are continuously improving [33,
24, 36, 17, 18]. In addition, recent operating system de-
velopments have begun to incorporate security features like
Early Launch Anti-Malware [3] that activate the anti-virus
software as early as possible.
In this paper, first we propose a new approach to load-
ing malicious components, and develop an advanced mal-
ware based using this approach, which we refer to as anti-
virus parasitic malware (AV-Parmware). It is a software
component-based parasitic malware that subverts and lives
on major anti-virus software by updating a protected com-
ponent of the target anti-virus with a malicious one. Our
scheme performs file update/replacement by exploiting var-
ious security weaknesses that we have found in 12 current
anti-virus solutions from four major anti-virus vendors (AVG,
Avira, McAfee, and Symantec) with our assessment tool.
We have conducted extensive experiments with the anti-
virus parasitic malware and confirmed its properties.
The rest of this paper is structured as follows. We in-
troduce the concept of component-based parasitic malware,
asitic malware in Section 2. The design and operation of
AV-Parmware are explained in Section 3. Section 4 describes
the security weaknesses that we have found in several of the
major anti-virus software, which will be used in the devel-
opment of the proposed malware in the next section. Ex-
perimental results are discussed in Section 5. Related work
and conclusions are given in Sections 6 and 7 respectively.
2. BACKGROUND
2.1 Component-based Parasitic Malware
There have been many attacks in the real world that in-
volve loading malicious components in the context of be-
nign software. For instance, several of these attacks drop
malicious components at a specific path, which gets loaded
via DLL hijacking due to the unsafe path search of Win-
dows [16]. Also, many malware instances inject their code
into the target process using memory-related techniques such
as DLL injection thereby loading the malicious components.
Hence the anti-virus industry has been developing several
techniques to detect such attacks [12, 13, 32, 9, 15].
In this paper, we propose a new approach to loading ma-
licious software components, which we refer to as “software
component-based parasitic malware.” It is defined as ma-
licious code that updates/replaces existing components of
installed software and becomes parasitic on it. Our method
is a file-based attack, and hence it is different from memory-
based attacks. Furthermore, the proposed scheme is dis-
tinguished from DLL hijacking even though both are file-
based attacks; our scheme is based on the fundamental rule,
followed in the software industry, that a software compo-
nent can be updated as long as the new version provides
the full functionality of the current version, whereas DLL
hijacking uses the unsafe path search weakness. Moreover,
it is hard to determine whether an update is malicious or
not, because there are many possible update channels in-
cluding centralised third-party software management tools,
application’s built-in update feature, and user manually re-
installing a newer version. Hence the fundamental objective
of the scheme is to drop a file and inject code into a target
process in such a way that it gets loaded by benign software.
2.2 Parasite on Anti-virus
There can be various software that can be the target of
component-based parasitic malware. However, anti-virus
software is the best target for such malware, since there are
many advantages to anti-virus parasitic malware. First, an
anti-virus runs while the system (on which it is deployed) is
running. Therefore, it is one of the best hosts for a parasitic
malware. Second, it is stealthier, because it does not create
any new process while it is running; the word parasitic comes
from this characteristic. Also it does not need to install any
malicious Windows service, driver, and/or rootkit for per-
sistent compromise since it will be loaded by anti-virus on
every boot. This implies that the system integrity monitor-
ing solutions that monitor new services, drivers and rootkits
do not detect AV-Parmware. In addition, in case of detection,
anti-virus software will be found to be as “malware” (and not
AV-Parmware). Third, it is able to acquire more capabilities
as anti-virus related services, processes, and drivers usually
have the highest privilege on a system; so parasitic malware
achieves this without installing rootkit or other malicious
components. Hence, security features like User Access Con-
trol (UAC) becomes ineffective. Also, anti-virus has the
ability to protect itself (described in Section 2.3), so that
other processes cannot stop, kill or disable the anti-virus;
this means AV-Parmware receives this protection once it suc-
cessfully becomes parasitic on the anti-virus. Fourth, it can
bypass any Egress packet filtering, because anti-virus solu-
tions require network communications for updates and sys-
tem protection, and are allowed by outgoing traffic rules.
Fifth, anti-virus files are frequently updated in order to be
up-to-date2 and these files are normally excluded from file
integrity monitoring by security solutions such as Tripwire.
2
For example, McAfee and Avast free products look for up-
2128
This implies that replacing one of anti-virus files hardly trig-
gers an alarm for such solutions. Sixth, in many cases, anti-
virus is the only security tool installed by the user (firewall
is often built in with major operating systems). Therefore,
security of commodity PC systems heavily depends on the
effectiveness of the anti-virus software installed on them.
Besides these obvious advantages, anti-virus has other de-
sirable properties for parasitic malware such as minimised
user intervention and deep integration with the operating
system. These major merits have been achieved with the
proposed AV-Parmware in Section 5.
2.3 Self-protection of Anti-virus
Though it is clear that anti-virus offers several advantages
as a host for a parasitic malware, components of anti-virus
are much harder to replace than those of other software.
This is because as one would anticipate anti-virus software
tends to have strong self-protection feature3 . Self-protection
module protects its processes, memory, files, registry keys
and values, and configurations from being killed, modified,
and/or deleted. For instance, non-anti-virus process cannot
terminate the processes of anti-virus or modify its memory
even if it has the highest privilege (SYSTEM). Furthermore,
anti-virus related files and registry keys and values cannot
be modified or deleted by non-anti-virus processes.
Self-protection feature is usually implemented with one or
more kernel-mode drivers and Windows services. For exam-
ple, a service and a couple of drivers are in charge of self-
protection in Avira AntiVirus 2013 product line [22]. Real-
Time Protection service is crucial in Avira’s self-protection
mechanism, because it provides real-time protection not only
to the system (such as on-access detection of malware), but
also to itself (self-protection such as prevention of unautho-
rised alteration on Avira’s processes, files, and registry keys).
In particular, unloading the kernel-mode drivers and the fil-
ter driver is blocked by this service. Furthermore, users can-
not stop, pause, or restart the service, as the service ignores
such requests. In contrast, some anti-virus software such
as Sophos End Point Security does not protect its services,
thereby enabling users or malware to start/stop/restart its
services. In this case, it is possible for a malware to stop
the service, perform any malicious activity, and then start
the service. The kernel-mode drivers of Avira protect its
registry keys and files. In particular, a filter driver protects
Avira’s installation path so that any other process cannot
add, delete, or modify any of Avira’s files. And the pro-
cesses of Avira themselves are protected by the kernel-mode
driver in such a way that other processes cannot kill or termi-
nate them. Therefore, no one can modify any component of
Avira and other self-protected anti-virus without disabling
the self-protection feature.
This self-protection feature is a major obstacle to anti-
virus parasitic malware, since the malware must update a
protected component of its target anti-virus. Therefore, we
have developed a tool to assess the self-protection of major
anti-virus solutions. This led to the discovery of several new
security weaknesses, which are described in Section 4.
dates every four hours [1, 2].
3
Some anti-virus’ self-protection feature prevents the system
from being restored using Windows System Restore. This
is why most anti-virus solutions provide a way to disable its
self-protection feature in its GUI. CLI-based methods are
not provided as they can be abused by malware.

Figure 1: Overview of AV-Parmware’s design and con-
trol flow
3. DESIGN: STAGED MALWARE ARCHI-
TECTURE
Attackers have resorted to staged malware in order to over-
come the hurdles mentioned in Section 1. In particular, only
a dropper or a downloader is executed at the first intrusion;
then the malware checks the target environment and mod-
ifies its behaviour depending on the state of the environ-
ment (such as enabling a specific anti-virus bypassing tech-
nique or terminating itself to avoid detection). Most of the
well-known modern malware including Zeus [13], Citadel [6],
Conficker [32] and Stuxnet [12] are staged ones. The staged
approach at least gives two benefits to the attackers. First,
it allows them to minimise the risk of detection by security
tools. Second, it minimises the exposed portion and hides
the full functionality of the malware at the early stage of in-
trusion. Consequently, security professionals cannot reveal
the functionalities of a malware when they obtain only the
first stage such as downloader.
AV-Parmware is a staged malware that is made up of two
components: a dropper and a payload DLL as shown in
Figure 1. The dropper (light grey box in the figure) is the
first stage that is executed on the target system. In this
paper, we assume that AV-Parmware has been introduced
to a victim machine by an initial attack such as client-side
attack or spear phishing. This is valid because any malware
must be delivered and executed by an initial attack vector;
most related work assume the same situation [23, 26, 30, 25,
8, 7, 14, 29, 11, 38]. The role of the dropper is to disable
the self-protection of the target anti-virus and update a file
of the anti-virus with its payload DLL embedded in itself.
After a reboot or an update, the payload DLL is loaded by
a service of the target anti-virus, and AV-Parmware becomes
parasitic. From this point on, the malware performs its ma-
licious activities, such as Windows password hash dump and
data exfiltration, in the context of the anti-virus service pro-
cess. The overall flow of the execution of AV-Parmware is
also illustrated in Figure 1; in this figure, the payload DLL,
a target file to be replaced, and a target anti-virus service
are shaded in dark grey. The execution flow of AV-Parmware
is hard to detect, because all the operations performed by
its dropper – from configuring a service and/or a driver to
triggering an update and to opening and copying files – are
totally legitimate. It also ensures the stability of the mal-
2129
ware’s installation, which is one of the core requirements of
a stealthy malware.
4. EVALUATION OF SELF-PROTECTION OF
MAJOR ANTI-VIRUS SOFTWARE
Methodology.
As mentioned earlier, AV-Parmware must be able to dis-
able self-protection feature of the target anti-virus. The self-
protection feature of all the anti-virus software that we have
investigated has been implemented in kernel-mode drivers
and/or Windows services. We have developed an assess-
ment tool that checks whether these self-protection modules
are properly protected or not. To sum up, this tool at-
tempts several techniques given below with different options
to stop/pause/disable drivers and services, modify config-
urations, and manipulate files during an update; details of
each method are given in the following sections with the
corresponding vulnerable anti-virus software products:
1. Filter Manager: APIs and fltmc command (AVG)
2. Manipulation on files during an update: I/O APIs
(Avira and McAfee [2nd])
3. Service Control Manager (SCM): APIs and sc com-
mand (McAfee [1st])
4. Windows Management Instrumentation (WMI): code
in VBS and C# and WMI console (Symantec Norton)
5. net command (anti-virus w/o self-protection such as
Sophos)
After running the tool, we analysed the results and trans-
formed the newly found flaws into security vulnerabilities
so that AV-Parmware disables these anti-virus solutions’ self-
protection. Since the malware must update an anti-virus
related file in order to become a parasite, our research was
focused on the evaluation of self-protection on file access.
Evaluation results.
We have investigated self-protection feature of 18 anti-
virus solutions from seven major anti-virus vendors; our re-
sults are shown in Table 1. Top seven worldwide market
share vendors have been selected according to the OPSWAT
anti-virus vendor market share report [27]. Their market
share accounts for 68.3% of the entire anti-virus market.4
As a result, 12 products from four vendors have been iden-
tified to have security issues in their self-protection feature,
which allows the malware to disable the feature and replace
anti-virus-owned files. The security weaknesses found are
explained in the following sections. All the weaknesses ex-
cept for one of Avira’s (part 1 of Section 4.2) are publicly
disclosed in this paper for the first time.
4.1 AVG
AVG’s self-protection feature is named as “AVG Self pro-
tection”; two filter drivers are in charge of protecting access
on AVG’s files. When a user or a process (even with the
highest privilege) tries to delete or modify those files, then
the two drivers block such I/O requests. Similarly, new files
cannot be added to the AVG folder.
4
We have excluded Microsoft, as it is not a security-specific
software vendor.
 Table 1: Evaluation results of anti-virus self-protection feature (SP: self-protection, IS: Internet Security)
Products (2013 versions) SP disarmable Security weakness
AVAST (3 products)
X -
(Free, Pro & IS)
AVG (3 products) O
Unloadable/detachable drivers
(AntiVirus Free, AntiVirus & IS) (Arbitrarily)
Avira (3 products) O
Service restart + restart coercion
(Free, Antivirus Premium & IS) (On every update)
ESET (1 product)
X -
(NOD32 Antivirus 6)
Kaspersky (2 products)
X -
(Anti-Virus & IS)
McAfee (3 products) O 1. Incomplete protection on SP service
(AntiVirus Plus, IS & Total Protection) (On next reboot) 2. Unprotected temporary service
Symantec Norton (3 products) O
Incomplete protection on SP driver
(AntiVirus, IS & 360) (On next reboot)

Weakness: Detachable drivers.
AVG fails to protect the self-protection filter drivers, even
though it must block any unauthorised attempt to unload
or detach such filter drivers. As a result, two filter drivers
named avgtp and avgmfx86 can be detached by the user or
malware using Filter Manager Control (fltmc) command.
After the detachment, AV-Parmware replaces an AVG’s file
with its payload DLL. Once the malicious DLL is loaded
by the AVG on the next reboot or at the restart of AVG,
AV-Parmware becomes parasitic on AVG. This shows intro-
ducing new security modules (filter drivers) cannot provide
additional protection, if they are not protected by either
themselves (the cases of non-vulnerable products in Table 1)
or other modules that protect themselves (the case of Avira).
4.2 Avira
Avira’s case is much more complicated than the AVG’s.
As described in Section 2.3, Real-Time Protection service
prevents its filter driver from being unloaded or detached
in all Avira’s anti-virus products. Therefore, AV-Parmware
cannot arbitrarily unload the driver in one step. After in-
vestigation, we found two security weaknesses that may not
be severe threats in themselves, but become a critical one
when combined. The first weakness has a big impact (com-
promise of Avira and the operating system) with low prob-
ability, while the second one increases the probability, thus
making the risk caused by the combined weaknesses to be
high and usable by AV-Parmware.
Weakness Pt. 1: Partial pause of self-protection (known).
Byungho et al. have discovered that a core component
of Avira can be paused during an update, which leads to a
total compromise of Avira; full details can be found in their
work [22]. To summarise, Avira’s Real-Time Protection ser-
vice is restarted on some updates. This restarting usually
takes several seconds on a commodity personal computer;
during this time period, the system and Avira become vul-
nerable, since the system virtually becomes identical to the
one with no anti-virus.
Weakness Pt. 2: Wrong assumption during pause.
Even though the impact of the security weakness explained
in the previous section is big, its probability is low because
such a service restart doesn’t happen on every update. We
observed Avira Free Antivirus 2013 for more than three
months, and found that the restart happens up to three
times in a week (usually less than twice in a week). Because
this product checks for an update every six hours (four times
a day), one week is divided into 28 (=4×7) time frames.
2130
This implies that the probability for a malware to be landed
on the system during a vulnerable time frame is 10.71%
(=3/28) at maximum. Therefore, it is impossible to assume
that a service restart will happen when the malware trig-
gers an update. In conclusion, without a method to force
a service restart, all the malware can do is to try to trigger
an update, and hope that the Real-Time Protection service
restarts.
It is clear that it is necessary to restart the service, and
this is where the second security weakness comes into play.
We investigated the reason for service restart, and discov-
ered that Real-Time Protection service is temporarily termi-
nated by the update process (update.exe) when the service
is locking one or more component files. We further anal-
ysed this issue and found that the update process terminates
Real-Time Protection service even if some files related to the
service are opened by any random process; it does not check
which process is opening these files, and falsely assumes that
the files are being opened by the service. It is also worth not-
ing that any process can open and read Avira’s files, even
though its installation path is protected by the file system
filter driver, and hence files in it cannot be modified or re-
moved. AV-Parmware exploits this wrong assumption, and
forces the service to restart. After triggering an update, it
opens a few files that are opened by Real-Time Protection
service. This makes Avira’s update process temporarily ter-
minate the service. Then, the malware performs its chained
exploit, and closes the files. If it does not close them, the
update process keeps stopping and starting the service. This
behaviour can also be used for DoS on Avira, but it is almost
meaningless for the same reason as the one given earlier.
Now AV-Parmware has the ability to compromise the vic-
tim system with much higher probability, because virus def-
initions and detection engines are frequently updated as dis-
cussed in Section 2.2. As long as there is a file to be updated,
the malware compromises its victim system by exploiting the
two security weaknesses illustrated in this section.
4.3 McAfee
McAfee’s anti-virus products host a service named “McAfee
Access Protection” (McAPExe) to provide protection on McAfee-
owned files and services so they are not accidentally manip-
ulated by the user or malware. This service also protects it-
self from being stopped or restarted. Therefore, the method
used against AVG is ineffective against this service. Self-
disarm coercion used against Avira is also not possible here
even though McAfee restarts Access Protection service on
some updates. This is because the frequency is too low and
we could not find a way to force a service restart. However,
we have discovered two methods that can be used to nullify
McAfee’s self-protection feature.
1st Weakness: Incomplete protection on McAPExe.
McAfee products do not protect the configurations of their
services. Even though the user (or malware) cannot stop
or restart Access Protection service, its configurations such
as “start mode” can be modified using SCM. Because the
start mode is changed to “disabled”, the service will not start
from next reboot. However, when AV-Parmware disables Ac-
cess Protection service, it cannot replace McAfee’s files since
the service is active at this moment. This hurdle can be
overcome using MoveFileEx() API with MOVEFILE_DELAY_
UNTIL_REBOOT flag. This flag makes the file move operation
happen on next reboot, and this operation succeeds since
Access Protection service does not start in the next reboot.
In the current implementation of AV-Parmware, it replaces a
file in C:\Program Files\Common Files\McAfee\Platform
to load the payload DLL. As soon as it is loaded, the DLL
recovers start mode of Access Protection service thus mak-
ing everything normal.
This security weakness shows that not only it is important
to protect the running state of a service or a driver but also
configurations need to be protected, so as not to be modified
by malware or malicious users.
2nd Weakness: Unprotected temporary service file.
We analysed McAfee products and found another weak-
ness that can be used by AV-Parmware. During some up-
dates, McAfee installs a temporary service to clean up the
leftovers of the update as well as itself (after the clean-
up). Such a service creation happens quite frequently (about
three times out of five updates according to our observa-
tions). This clean-up service is executed on the next reboot
before any other McAfee service including Access Protection
service begins. It executes a file located in %WinDir%\Temp\
[dynamic_filename].exe. The problem is that this partic-
ular executable file is not protected, even though McAfee
protects its other temporary files during the update. There-
fore, AV-Parmware can use this weakness by replacing the
original service file with the dropper. On the next reboot,
the clean-up service starts and the dropper is executed in-
stead of the original executable file. The dropper replaces
a file of McAfee with its payload DLL, and AV-Parmware
becomes parasitic on McAfee when the payload is loaded
by the McAfee service. This method shows how incomplete
protection on crucial temporary files leads to a compromise
of anti-virus and operating system.
4.4 Symantec Norton
In Symantec Norton software, a driver (BHDrvx86) pro-
tects its files. This driver is a part of “Norton Product
Tamper Protection” feature that provides self-protection to
Norton products. Unlike McAfee, Norton tries to block any
attempt to modify configurations of the driver. In partic-
ular, a user or malware cannot modify the start mode of
BHDrvx86 via SCM (using sc command or APIs) or net
command. In addition, the driver cannot be detached using
any of the documented methods.
Weakness: Incomplete protection on BHDrvx86.
However, there is another technique that can be used
to control configurations of drivers and services: Windows
Management Instrumentation (WMI). It is the infrastruc-
2131
ture for management data and operations on Windows sys-
tems, and is useful in enterprise applications and adminis-
trative scripts [5]. We found that Symantec Norton products
fail to block service/driver configuration performed via this
interface. As a result, BHDrvx86 driver can be disabled by
AV-Parmware through WMI. Other steps are exactly same as
in the McAfee’s case; AV-Parmware queues a file move opera-
tion, and the payload DLL is dropped in C:\Program Files\
Norton AntiVirus\Engine\20.4.0.40\ on the next reboot.
The path is built at runtime since it includes a version num-
ber (20.4.0.40).
4.5 Other products
Even after running our assessment tool, and then manu-
ally analysing them, we could not disable the self-protection
feature of the three vendors’ products (Table 1). Their
self-protection modules (“self-defense” in AVAST and ESET
NOD32, “self-defence” in Kaspersky) blocked all the access
requests to their components and configurations unless such
requests are originated from themselves; additionally we were
not able to restart any of their services/drivers during an
update. However, our assessment tool has found a few im-
proper protection on services and temporary files from these
products, which we believe has the potential for developing
the parasitic malware; we are in the process of analysing
these results.
5. EXPERIMENTAL RESULTS
In this section, we present our experimental results that
show the advantages of our anti-virus parasitic malware.
The victim environment is a virtual machine with fully patched
Windows 7 Ultimate edition.
5.1 Bypassing Egress Filtering
This experiment shows that AV-Parmware bypasses Egress
filtering rules, and connects back to the attacker. In or-
der to block malware communications, Egress filtering is
required in PCI-DSS [28] and recommended in US-CERT
guideline [34]. As a result, advanced modern malware in-
stances inject themselves into trusted processes so as to by-
pass these security mitigations [12, 9, 15]. However, this is
insufficient in some cases. For instance, Flame injects into
Windows Explorer that does not make a network connection
in a usual situation. Stuxnet uses lsass.exe and winlogon.
exe as its injection target, but they normally don’t con-
nect to the Internet, even though they can connect to LAN
servers and/or can be connected from LAN clients. In con-
trast, Avira’s update process and Web Protection service
are required to connect to the Internet for their functionali-
ties like downloading new updates and protecting the system
from web threats.
In the case of targeting Avira, AV-Parmware uses sqlite3.
dll to compromise Real-Time Protection service (avguard.
exe). The problem is that this service does not require
network connections. However, sqlite3.dll is also loaded
by Avira’s other processes such as Web Protection service
(avwebgrd.exe). This service acts as a proxy server on the
system, and connects to the Internet on behalf of applica-
tions that make network connections to the Internet. As a
result, Web Protection service must be allowed in outgoing
traffic rules. In order to utilise this, the payload DLL of
AV-Parmware behaves differently based on its caller process;
it checks the full path of its caller, and creates the mali-
cious thread only if the caller is C:\Program Files\Avira\
AntiVir Desktop\avwebgrd.exe. We verified that this pay-
load bypassed Egress filtering firewall rules forced by Co-
modo Firewall.
It is worth noting that a single file (ccSvcHst.exe) hosts
all the services in the case of Symantec Norton, thus making
bypassing Egress filtering easier; any process of this file must
be allowed in outgoing traffic rules.
5.2 Remaining Stealthy (even on detection)
There are two aspects to the stealth nature of the AV-
Parmware. First, it does not create any process after the pay-
load is loaded by anti-virus, and hence the user cannot see
any suspicious process running on the system. Also, there
is no additional file installed on the target system, as the
malware updates anti-virus’ file with its payload. When it
comes to network activity, the user and firewalls can hardly
detect any anomaly as long as the Command and Control
server of the malware resides in an unsuspicious country -
because some anti-virus services and processes (Web Pro-
tection service in the case of Avira) have to connect to the
Internet.
The second aspect comes out in the worst case, which is
at the time of detection. When an anti-virus detects the
malware, it reports itself as malicious because AV-Parmware
is parasitic on it. This behaviour was confirmed using a
detectable payload. We implemented a payload DLL that
loads another DLL located at c:\a.dll. This additional
DLL is a Metasploit’s Meterpreter shellcode that connects
back to the attacker. Upon the malware attack, malicious
sqlite3.dll was loaded by Avira’s Real-Time Protection
service, and a.dll was loaded by the payload DLL. Un-
til this point, the obviously malicious file was not detected
by Avira. This is an unusual behaviour because Avira’s
Real-Time Protection service normally scans and blocks the
access on a suspicious file when an access is requested. In
other words, a.dll cannot be executed if non-Avira pro-
cesses try to load it. It turned out that Avira requires
SQLite to open its definition files prior to becoming able
to perform on-access scanning, and a.dll is loaded before
those definitions are loaded. As a result, we could control
the victim machine using a Meterpreter shell without any
problem, even though a.dll is totally detectable by Avira;
it proves AV-Parmware’s excellent ability to remain stealthy.
In order to make a.dll to be detected, we tried to ac-
cess a.dll using Windows Explorer. Finally, it was detected
by Avira. However, even in this worst case, Avira detects its
own processes (avscan.exe, avwebgrd.exe, and avguard.
exe) as Trojan horses. Neither sqlite3 nor a.dll is de-
tected. Therefore, the user can hardly find AV-Parmware’s
payload (sqlite3.dll); he even might ignore the detection
after searching for this behaviour, because there have been
false-positive cases that some anti-virus solutions detected
and deleted their own components [4].
Another interesting point to note about this experiment is
that a.dll successfully connected to the attacker and per-
formed its malicious activities such as dumping Windows
password hash and capturing screenshots, even after it was
detected. This means the attacker is able to update the
malware to a new (undetectable) version, or clean-up the
malware from the victim system.
2132
6. RELATED WORK
Loading Malicious Components.
Kwon and Su [16] have experimented with DLL hijacking
attack against major software suites such as Microsoft Of-
fice and Google Desktop, and have suggested a method that
detects unsafe library use in software. Analyses on several
malware instances have shown that malicious components
are loaded via memory manipulation like DLL injection, and
anti-virus software vendors are trying to detect such injec-
tion and recommending prevention methods such as remov-
ing debug privilege from non-administrative users. [12, 13,
32, 9, 15].
Attacking Anti-virus.
Traditional implementation vulnerabilities such as buffer
overflow have been discovered from anti-virus and published [8,
7, 35, 37]. These attacks exploit such vulnerabilities, and
perform denial-of-service or arbitrary code execution. In
addition, there has been considerable research on anti-virus
evasion techniques using code obfuscation, such as poly-
morphism, metamorphism and packing, as well as on de-
tection schemes [33, 24, 36, 17, 18, 25]. File obfuscation
techniques for non-executable formats have also been pro-
posed. Porst suggested an evasion technique that generates
script-embedded PDF files that are not recognised by anti-
virus software, but parsed by Adobe reader [29]. Jana and
Shmatikov [14] suggested two anti-virus evasion techniques
that use various file formats. However, malware using any
file obfuscation technique can bypass only the file detection,
and thus its activities can be detected by anti-virus’ be-
havioural engines.
Attacking Software Update.
Bellissimo et al. [10] analysed update procedures of sev-
eral software products, and showed some of them don’t use
secure network connections and/or binary verification. Sim-
ilar research was started by Infobyte security research in
2008, and its product, evilgrade, is still actively updated
with vulnerable software that uses insecure network con-
nections. However, these network-based man-in-the-middle
attacks require that the attacker is able to make traffic redi-
rection, which can be done in various ways such as DNS
tampering, DNS cache poisoning, ARP spoofing, Wi-Fi ac-
cess point impersonation and DHCP hijacking. In contrast,
our scheme is a local attack without such a requirement.
7. CONCLUDING REMARKS
In this paper, we have proposed a new advanced anti-
virus parasitic malware AV-Parmware and have developed
practical implementations. AV-Parmware exploits the newly
discovered security weaknesses of 12 anti-virus software so-
lutions, which enables attackers to subvert the anti-virus
and the victim system. Our experiment results show that
the merits of being a parasite on an anti-virus are signif-
icant such as network communications being allowed in a
highly secured environment, gaining more capabilities and
becoming stealthier. We believe that this type of security
weaknesses related to the self-protection feature might also
be present in other anti-virus solutions, and this could form
part of our future work.
We have developed an effective defence against AV-Parmware
and implemented and evaluated the solution. The proposed
solution utilises digital signature and same origin policy [21],
and is applicable to the current versions of the anti-virus
software without any modification5 . It is important to stress
that it is essential that at least one anti-virus solution must
be present on every system, even if it is imperfect. Anti-
virus and other security tools raise the bar for attackers to
breach the security of a system. Furthermore, there is con-
siderable research happening in the anti-malware research
community aimed at improving detection techniques, espe-
cially behaviour-based ones [31].
8. REFERENCES
[1] McAfee Communities. https://community.mcafee.com/.
[2] Avast Forum. http://forum.avast.com/index.php?topic=
106560.msg848307#msg848307, 2012.
[3] Early Launch Anti-Malware.
http://msdn.microsoft.com/en-
us/library/windows/hardware/br259096, 2012.
[4] Sophos antimalware software detects itself as malware,
deletes critical binaries.
http://thenextweb.com/insider/2012/09/20/sophos-
antimalware-software-detects-malware-deletes-
critical-binaries/, 2012.
[5] Windows Management Instrumentation.
http://msdn.microsoft.com/en-
us/library/windows/desktop/aa394582(v=vs.85).aspx,
2013.
[6] AhnLab Analysis Team. Malware Analysis: Citadel.
AhnLab ASEC (AhnLab Security Emergency response
Center) (Dec. 2012).
[7] Alvarez, S. Antivirus (In)Security. In CCC (Chaos
Communication Camp) (Finowfurt, Germany, 2007).
[8] Alvarez, S., and Zoller, T. The Death of AV Defense in
Depth? - revisiting Anti-Virus Software. In CanSecWest
(Vancouver, B.C., Canada, 2008).
[9] Anity Labs. Analysis Report on Flame Worm Samples.
Tech. rep., July 2012.
[10] Bellissimo, A., Burgess, J., and Fu, K. Secure software
updates: disappointments and new challenges. In
Proceedings of USENIX Hot Topics in Security (HotSec)
(Vancouver, B.C., Canada, 2006).
[11] Bilge, L., and Dumitras, T. Before we knew it: an
empirical study of zero-day attacks in the real world. In
CCS ’12 (Raleigh, NC, USA, Oct. 2012).
[12] Falliere, N., Murchu, L. O., and Chien, E.
W32.Stuxnet dossier. Tech. rep., 2011.
[13] IOActive. Reversal and Analysis of Zeus and SpyEye
Banking Trojans. Tech. rep., 2012.
[14] Jana, S., and Shmatikov, V. Abusing File Processing in
Malware Detectors for Fun and Profit. In IEEE Symposium
on Security and Privacy (S&P) 2012 (San Francisco, CA,
USA, 2012), pp. 80–94.
[15] Kaspersky Lab. Gauss: Abnormal Distribution. Tech.
rep., Aug. 2012.
[16] Kwon, T., and Su, Z. Automatic detection of unsafe
component loadings. In ISSTA ’10: Proceedings of the 19th
international symposium on Software testing and analysis
(Trento, Italy, July 2010), pp. 107–118.
[17] Lee, J., Jeong, K., and Lee, H. Detecting metamorphic
malwares using code graphs. In SAC ’10: Proceedings of
the 2010 ACM Symposium on Applied Computing (Sierre,
Switzerland, Mar. 2010).
[18] Lin, D., and Stamp, M. Hunting for Undetectable
Metamorphic Viruses. Journal in Computer Virology 7, 3
(Dec. 2010), 201–214.
[19] McAfee. McAfee Labs Threats Report. Tech. rep., 2013.
5
Due to page restrictions, we are not able to describe the
solution in this paper.
2133
[20] Microsoft. Security Intelligence Report. Technical report.
Tech. rep., 2013.
[21] Min, B., and Varadharajan, V. Feature-Distributed
Malware Attack: Risk and Defence. In 19th European
Symposium on Research in Computer Security (Wroclaw,
Poland, 2014), Springer International Publishing,
pp. 457–474.
[22] Min, B., Varadharajan, V., Tupakula, U. K., and
Hitchens, M. Antivirus security: naked during updates.
Software: Practice and Experience 44, 10 (Oct. 2014),
1201–1222.
[23] Murad, K., Cheng, S.-M., Zikria, Y., and Ikram, N.
Evading Virus Detection Using Code Obfuscation. Future
Generation Information Technology (2010), 394–401.
[24] Newsome, J., Karp, B., and Song, D. Polygraph:
Automatically generating signatures for polymorphic
worms. In IEEE Symposium on Security and Privacy
(S&P) 2005 (CA, USA, 2005), pp. 226–241.
[25] Oberheide, J., Bailey, M., and Jahanian, F. PolyPack:
an automated online packing service for optimal antivirus
evasion. In Proceedings of the 3rd USENIX Workshop on
offensive technologies (Montreal, Canada, 2009).
[26] O’Kane, P., Sezer, S., and McLaughlin, K. Obfuscation:
The Hidden Malware. Security & Privacy, IEEE 9, 5
(2011), 41–47.
[27] OPSWAT. Market Share Report December 2012. Tech.
rep., Dec. 2012.
[28] PCI Security Standards Council. Payment Card
Industry (PCI) Data Security Standard. Tech. rep., Oct.
2010.
[29] Porst, S. How to really obfuscate your PDF malware. In
ReCon (Montreal, Canada, July 2010).
[30] Rad, B. B., Masrom, M., and Ibrahim, S. Camouflage in
Malware: from Encryption to Metamorphism. International
Journal of Computer Science and Network Security 12, 8
(Aug. 2012), 74–83.
[31] Sukwong, O., Kim, H., and Hoe, J. Commercial antivirus
software effectiveness: an empirical study. Computer (Mar.
2011), 63–70.
[32] Symantec Security Response. The Downadup Codex A
comprehensive guide to the threat’s mechanics. Tech. rep.,
2009.
[33] Ször, P., and Ferrie, P. Hunting for metamorphic. In
Virus Bulletin Conference (Prague, Czech, 2001).
[34] US-CERT. Malware Threats and Mitigation Strategies.
Tech. rep., May 2005.
[35] Wheeler, A., and Mehta, N. Owning Antivirus. In Black
Hat Europe Conference (Amsterdam, Netherlands, July
2005).
[36] Xu, J., Sung, A. H., Mukkamala, S., and Liu, Q.
Obfuscated Malicious Executable Scanner. Journal of
Research and Practice in Information Technology 39, 3
(2007), 181–198.
[37] Xue, F. Attacking Antivirus. In Black Hat Europe
Conference (Amsterdam, Netherlands, 2008).
[38] Zhou, Y., and Jiang, X. Dissecting android malware:
Characterization and evolution. In IEEE S&P (San
Francisco, CA, USA, 2012).