Dubbed Anti Anti-Virus, the recent talk given at MalCon 2010 by Nima Bagheri, a Security Researcher and founder of U0vd Security, showed how alarmingly simple it is for a malware author to include steps to disable resident anti-virus software on the target PC.
Several techniques already exist for disabling Anti-Virus software by hooking System Service Dispatch Table (SSDT) calls and exploiting poorly implemented kernel hooks. However Nima’s research has revealed other methods of disabled Anti-Virus software.
The first strategy demonstrated disabled the Anti-Virius software by modifying the registry. The trick is startlingly simple, by modifying the registry a NULL debugger is attached to the startup of the Anti-Virus server. Since such a debugger can’t be run, the service fails to start.