June 19, 2021

Anti Anti-Virus: MalCon Speaker Demonstrates How Malware Can Disable Anti-Virus Software

Dubbed Anti Anti-Virus, the recent talk given at MalCon 2010 by Nima Bagheri, a Security Researcher and founder of U0vd Security, showed how alarmingly simple it is for a malware author to include steps to disable resident anti-virus software on the target PC.

Several techniques already exist for disabling Anti-Virus software by hooking System Service Dispatch Table (SSDT) calls and exploiting poorly implemented kernel hooks. However Nima’s research has revealed other methods of disabled Anti-Virus software.

The first strategy demonstrated disabled the Anti-Virius software by modifying the registry. The trick is startlingly simple, by modifying the registry a NULL debugger is attached to the startup of the Anti-Virus server. Since such a debugger can’t be run, the service fails to start.