5 devious ways malware can sneak past your PC’s antivirus

Hardly a week goes by without a company, an organization, or a hospital falling victim to a ransomware attack. Their computer systems have been attacked by an extortion virus that encrypts all files and only releases them again upon payment of a high ransom. Yet the computers of almost all victims are protected by an antivirus program. How can this be?

Further reading: Best antivirus software 2024: Keep your PC safe from malware, spyware, and more

1. Sheer quantity of attacks

Back in 2023, we asked anti-virus expert Andreas Marx of AV-Test how so many infections escape antivirus software, even though it actually protects well. His answer: “Many programs successfully fend off around 99.9 percent of attacks, but that also means that one in 1,000 attacks is successful. And with over 100 million new malware programs a year and several billion Windows PCs, there is thus always a residual risk.”

In other words, the masses do it. Criminals spread viruses by the millions, so in the end there are still many who can slip through the security gaps of a computer system. Peter Stelzhammer, security specialist and co-founder of AV-Comparatives, also sees the mass of distributed viruses as a reason for the success of malware. But he also mentions other reasons and gives tips for good protection. You can find the interview with Peter Stelzhammer at the end of the article.

The detection rate of PC malware by antivirus programs in the AV-Comparatives test is between 98.9 and 100 percent. These are very good values. But they also mean that some pests are still overlooked.

IDG

Most malware is spread by e-mail. Either the malicious code comes directly as an attachment or a link in the e-mail leads to a virus. To a much lesser extent, malicious code also comes via messenger or SMS. In these cases, a link is almost always sent that refers to the malicious code or an infected website.

Basic protection is provided by an installed antivirus program. Your PC also must not have any security vulnerabilities open. You can ensure this by always installing all program and Windows updates. These patches close newly discovered gaps in the system. In addition to these technical requirements, you must become a security guard yourself. Always be extremely suspicious of e-mail attachments and links you don’t recognize.

If in doubt, refrain from opening the attachment. If this isn’t an option, open the attachment only in a secure environment, e.g. in a sandbox under Any.run.

2. Targeted attacks on security flaws

Security researchers repeatedly find security flaws in the standard configuration of programs. Not often, but often enough, these are also vulnerabilities that can initially be exploited without typical PC viruses. This is the case, for example, when remote access to a company’s PCs is only protected with a standard password or simple passwords. This is virtually an invitation for hackers to take possession of these systems.

Once they are logged onto a system, they can cause further damage by, for example, disabling the installed antivirus program and sneaking their malicious code into the system.

Detecting vulnerable systems is easier than one might think. After all, scanners can be used to search large parts of the internet for vulnerable systems. In the simplest case, the attackers use search engines for security vulnerabilities such as Shodan.

Use very complex and unique passwords for all services where someone can log on to your computer. It’s best to activate two-factor authentication. Typical home networks are affected in two places here. The first place is the router (if remote access is enabled for it) and the second is the computer itself (if a remote desktop service like Windows’ is used there).

Here, Microsoft Defender has blocked a rather harmless file and placed it in quarantine. On a private PC, this software should provide sufficient protection. For companies there are other programs.

IDG

3. Credential Stuffing: Stolen log-in data

With this method, the attackers do not have to wait for someone to find a security hole in a software or standard configuration (see above). Instead, the attackers obtain the credentials of hundreds of thousands or millions of users from underground forums and attempt to log in with those credentials. These attacks are called credential stuffing and primarily target online services such as the mailbox or a shopping website, but can also be applied to remote desktops.

With tools like Sentry MBA, credential stuffing works automatically. They test username and password combinations on a variety of websites simultaneously. For some online shops, a large part of the login traffic already comes from such tools.

All users who use the same password for several accounts are at risk. On the other hand, those who create a separate password for each service have little to fear.

4. Targeted attacks via social engineering

These attacks mainly affect employees of companies, but also at home on a private PC. This is shown by the attack on the private laptop of a LastPass developer. After hackers gained access to this laptop, they were able to penetrate the LastPass company network and steal a considerable amount of customer data.

One possible form of attack is spear phishing. In this hacking method, the attackers find out very detailed information about the victim before the attack. For example, the hackers find out which employees are responsible for accounting or work in the human resources department. These people then receive an e-mail with an invoice or an application attached. Of course, the employee will open the attachment because the e-mail is addressed to them personally, speaks directly to them, and thematically falls one hundred percent within their area of work. The attachment usually contains a PDF file with malicious code that exploits a new vulnerability in the company’s PDF viewer.

Good protection against spear phishing is particularly difficult because the attack is tailored to the victim. Good technical measures, such as only allowing e-mail attachments to be opened in a protected environment (sandbox, virtual PC), will likely help.

5. Attacks with new tricks like SMS and video

A virus can usually bypass an antivirus program when it is still very new. The protection program does not yet recognize the virus. The attacker can make sure that the virus is new because new viruses can be bought in underground forums. However, the attacker must then get their new product onto as many PCs as possible as quickly as possible. This can be done via mass e-mails (see point one) or via new tricks. These include, for example, messages sent by SMS containing a link to the new malware.

The State Criminal Police Office of Lower Saxony, for example, warns against such phishing SMS messages. The criminals often pretend to be DHL support. With fake parcel SMS messages, they try to get their victims to divulge private data. These are later used by the fraudsters for identity theft. But, of course, this scam can also be used to spread malicious code.

The very latest is the use of videos created with the help of artificial intelligence. The videos show how expensive software like Adobe for example can be used for free with a crack. This link, which leads to the crack, contains malware. Alleged cracks for expensive software have been used for decades to infect other people’s PCs. What’s new is the elaborate packaging in the form of an explanatory video.

What protects against spam by SMS also helps against spam by e-mail. Be very suspicious of links in a message. This mistrust should also be extended to other approaches such as elaborately made videos or extensive messages.

Interview with a security expert

We talked about this topic with Peter Stelzhammer, security specialist and co-founder of AV-Comparatives (www.av-comparatives.org). Check out our interview below.

PCWorld: How can it be that antivirus programs detect 99 to 100 percent of all PC malware and yet so many computers are infected?

Stelzhammer: The problem is that antivirus programs are still partly reactive. The cyber criminals, on the other hand, usually take a proactive approach. This means that the criminals look for and find gaps in the antivirus programs and exploit them. The manufacturers of the antivirus tools can only react afterwards, i.e. be reactive and close the gaps within hours or days. This can also be seen in our tests of antivirus software. Many tools protect a good 99 percent against all current viruses. So, a few viruses still get through. And with the mass of viruses, that explains some of the infected systems. By the way, the programs with one hundred percent detection in our test do not manage this in every test either.

PCWorld: So is virus protection pointless?

Stelzhammer: No. It’s already the case that I’m well protected against pests with a computer with a good anti-virus program and all updates. Especially as a private person. But it is important that the antivirus program and all other installed programs and, of course, Windows are up to date. And to be well protected in case of an infection, you also need a backup. This should not remain connected to the PC. Because then it could also be encrypted by ransomware.

PCWorld: Do attacks focus more on companies or private PCs?

Stelzhammer: Companies. That is more lucrative. Infected private PCs are collateral damage.

PCWorld: What’s the most frequent type of attack?

Stelzhammer: Phishing by e-mail or other messages and fake websites are the biggest entry vector. The criminals use sophisticated tricks. One example is the domain www.poIizei.com. The letter L in the address is actually a capital I. In this way, criminals can forge almost all web addresses in which the letter L appears.

AI tools are designed not to produce harmful content. This hacker forum shows how the AI Chat-GPT can nevertheless be misused for criminal purposes.

IDG

PCWorld: Aren’t phishing attacks easy to recognize with a little practice?

Stelzhammer: If you know your way around, you don’t have to fall for phishing. But there are many well-made forgeries today for e-mail and websites. The quality of the fakes will increase with new AI tools because with Chat-GPT and other programs, criminals will be able to generate large amounts of individual phishing e-mails. When a victim replies to it, the AI will send a plausible answer. This makes it even easier to foist a PC malware on victims or to elicit data from them.

PCWorld: How do criminals smuggle so many extortion viruses into companies?

Stelzhammer: There are two ways. One is mass attacks in which ransomware is sent to millions of e-mail addresses. Some careless employee will click on the link to the ransomware in the e-mail. And if the ransomware belongs to the one percent of malware that virus protection misses, the PC is infected.

On the other hand, there are also targeted social engineering attacks against a company with well-forged e-mails. Mostly, these are e-mails to the personnel department with a PDF attachment. The employees expect e-mails with PDF attachments and will click on the attachment.

PCWorld: Protection software usually comes in three equipment classes: Antivirus, Internet Security, and Total Security. Which variant do you recommend?

Stelzhammer: You should choose the version that contains all important protection mechanisms. Today there are good antivirus products that not only protect against harmful files, but also offer good behavior-based detection and have a built-in web filter against phishing sites. If a product has these features, it is sufficient. Better equipped products offer more comfort, but not necessarily more protection. You pay for the comfort.

PCWorld: Microsoft Defender usually scores worse in your comparison tests. Can you recommend the free on-board product?

Stelzhammer: Defender is sufficient for private use. But there are other free antivirus programs that offer more. I recommend taking a look at our comparison tests, which we provide on our website (www.av-comparatives.org).

Hardly a week goes by without a company, an organization, or a hospital falling victim to a ransomware attack. Their computer systems have been attacked by an extortion virus that encrypts all files and only releases them again upon payment of a high ransom. Yet the computers of almost all victims are protected by an antivirus program. How can this be?

Further reading: Best antivirus software 2024: Keep your PC safe from malware, spyware, and more

1. Sheer quantity of attacks

Back in 2023, we asked anti-virus expert Andreas Marx of AV-Test how so many infections escape antivirus software, even though it actually protects well. His answer: “Many programs successfully fend off around 99.9 percent of attacks, but that also means that one in 1,000 attacks is successful. And with over 100 million new malware programs a year and several billion Windows PCs, there is thus always a residual risk.”

In other words, the masses do it. Criminals spread viruses by the millions, so in the end there are still many who can slip through the security gaps of a computer system. Peter Stelzhammer, security specialist and co-founder of AV-Comparatives, also sees the mass of distributed viruses as a reason for the success of malware. But he also mentions other reasons and gives tips for good protection. You can find the interview with Peter Stelzhammer at the end of the article.

The detection rate of PC malware by antivirus programs in the AV-Comparatives test is between 98.9 and 100 percent. These are very good values. But they also mean that some pests are still overlooked.

The detection rate of PC malware by antivirus programs in the AV-Comparatives test is between 98.9 and 100 percent. These are very good values. But they also mean that some pests are still overlooked. IDG

The detection rate of PC malware by antivirus programs in the AV-Comparatives test is between 98.9 and 100 percent. These are very good values. But they also mean that some pests are still overlooked. IDG

IDG

Most malware is spread by e-mail. Either the malicious code comes directly as an attachment or a link in the e-mail leads to a virus. To a much lesser extent, malicious code also comes via messenger or SMS. In these cases, a link is almost always sent that refers to the malicious code or an infected website.

Basic protection is provided by an installed antivirus program. Your PC also must not have any security vulnerabilities open. You can ensure this by always installing all program and Windows updates. These patches close newly discovered gaps in the system. In addition to these technical requirements, you must become a security guard yourself. Always be extremely suspicious of e-mail attachments and links you don’t recognize.

If in doubt, refrain from opening the attachment. If this isn’t an option, open the attachment only in a secure environment, e.g. in a sandbox under Any.run.

2. Targeted attacks on security flaws

Security researchers repeatedly find security flaws in the standard configuration of programs. Not often, but often enough, these are also vulnerabilities that can initially be exploited without typical PC viruses. This is the case, for example, when remote access to a company’s PCs is only protected with a standard password or simple passwords. This is virtually an invitation for hackers to take possession of these systems.

Once they are logged onto a system, they can cause further damage by, for example, disabling the installed antivirus program and sneaking their malicious code into the system.

Detecting vulnerable systems is easier than one might think. After all, scanners can be used to search large parts of the internet for vulnerable systems. In the simplest case, the attackers use search engines for security vulnerabilities such as Shodan.

Use very complex and unique passwords for all services where someone can log on to your computer. It’s best to activate two-factor authentication. Typical home networks are affected in two places here. The first place is the router (if remote access is enabled for it) and the second is the computer itself (if a remote desktop service like Windows’ is used there).

Here, Microsoft Defender has blocked a rather harmless file and placed it in quarantine. On a private PC, this software should provide sufficient protection. For companies there are other programs.

Here, Microsoft Defender has blocked a rather harmless file and placed it in quarantine. On a private PC, this software should provide sufficient protection. For companies there are other programs. IDG

Here, Microsoft Defender has blocked a rather harmless file and placed it in quarantine. On a private PC, this software should provide sufficient protection. For companies there are other programs. IDG

IDG

3. Credential Stuffing: Stolen log-in data

With this method, the attackers do not have to wait for someone to find a security hole in a software or standard configuration (see above). Instead, the attackers obtain the credentials of hundreds of thousands or millions of users from underground forums and attempt to log in with those credentials. These attacks are called credential stuffing and primarily target online services such as the mailbox or a shopping website, but can also be applied to remote desktops.

With tools like Sentry MBA, credential stuffing works automatically. They test username and password combinations on a variety of websites simultaneously. For some online shops, a large part of the login traffic already comes from such tools.

All users who use the same password for several accounts are at risk. On the other hand, those who create a separate password for each service have little to fear.

4. Targeted attacks via social engineering

These attacks mainly affect employees of companies, but also at home on a private PC. This is shown by the attack on the private laptop of a LastPass developer. After hackers gained access to this laptop, they were able to penetrate the LastPass company network and steal a considerable amount of customer data.

One possible form of attack is spear phishing. In this hacking method, the attackers find out very detailed information about the victim before the attack. For example, the hackers find out which employees are responsible for accounting or work in the human resources department. These people then receive an e-mail with an invoice or an application attached. Of course, the employee will open the attachment because the e-mail is addressed to them personally, speaks directly to them, and thematically falls one hundred percent within their area of work. The attachment usually contains a PDF file with malicious code that exploits a new vulnerability in the company’s PDF viewer.

Good protection against spear phishing is particularly difficult because the attack is tailored to the victim. Good technical measures, such as only allowing e-mail attachments to be opened in a protected environment (sandbox, virtual PC), will likely help.

5. Attacks with new tricks like SMS and video

A virus can usually bypass an antivirus program when it is still very new. The protection program does not yet recognize the virus. The attacker can make sure that the virus is new because new viruses can be bought in underground forums. However, the attacker must then get their new product onto as many PCs as possible as quickly as possible. This can be done via mass e-mails (see point one) or via new tricks. These include, for example, messages sent by SMS containing a link to the new malware.

The State Criminal Police Office of Lower Saxony, for example, warns against such phishing SMS messages. The criminals often pretend to be DHL support. With fake parcel SMS messages, they try to get their victims to divulge private data. These are later used by the fraudsters for identity theft. But, of course, this scam can also be used to spread malicious code.

The very latest is the use of videos created with the help of artificial intelligence. The videos show how expensive software like Adobe for example can be used for free with a crack. This link, which leads to the crack, contains malware. Alleged cracks for expensive software have been used for decades to infect other people’s PCs. What’s new is the elaborate packaging in the form of an explanatory video.

What protects against spam by SMS also helps against spam by e-mail. Be very suspicious of links in a message. This mistrust should also be extended to other approaches such as elaborately made videos or extensive messages.

Interview with a security expert

We talked about this topic with Peter Stelzhammer, security specialist and co-founder of AV-Comparatives (www.av-comparatives.org). Check out our interview below.

PCWorld: How can it be that antivirus programs detect 99 to 100 percent of all PC malware and yet so many computers are infected?

Stelzhammer: The problem is that antivirus programs are still partly reactive. The cyber criminals, on the other hand, usually take a proactive approach. This means that the criminals look for and find gaps in the antivirus programs and exploit them. The manufacturers of the antivirus tools can only react afterwards, i.e. be reactive and close the gaps within hours or days. This can also be seen in our tests of antivirus software. Many tools protect a good 99 percent against all current viruses. So, a few viruses still get through. And with the mass of viruses, that explains some of the infected systems. By the way, the programs with one hundred percent detection in our test do not manage this in every test either.

PCWorld: So is virus protection pointless?

Stelzhammer: No. It’s already the case that I’m well protected against pests with a computer with a good anti-virus program and all updates. Especially as a private person. But it is important that the antivirus program and all other installed programs and, of course, Windows are up to date. And to be well protected in case of an infection, you also need a backup. This should not remain connected to the PC. Because then it could also be encrypted by ransomware.

PCWorld: Do attacks focus more on companies or private PCs?

Stelzhammer: Companies. That is more lucrative. Infected private PCs are collateral damage.

PCWorld: What’s the most frequent type of attack?

Stelzhammer: Phishing by e-mail or other messages and fake websites are the biggest entry vector. The criminals use sophisticated tricks. One example is the domain www.poIizei.com. The letter L in the address is actually a capital I. In this way, criminals can forge almost all web addresses in which the letter L appears.

AI tools are designed not to produce harmful content. This hacker forum shows how the AI Chat-GPT can nevertheless be misused for criminal purposes.

AI tools are designed not to produce harmful content. This hacker forum shows how the AI Chat-GPT can nevertheless be misused for criminal purposes.
IDG

AI tools are designed not to produce harmful content. This hacker forum shows how the AI Chat-GPT can nevertheless be misused for criminal purposes.
IDG

IDG

PCWorld: Aren’t phishing attacks easy to recognize with a little practice?

Stelzhammer: If you know your way around, you don’t have to fall for phishing. But there are many well-made forgeries today for e-mail and websites. The quality of the fakes will increase with new AI tools because with Chat-GPT and other programs, criminals will be able to generate large amounts of individual phishing e-mails. When a victim replies to it, the AI will send a plausible answer. This makes it even easier to foist a PC malware on victims or to elicit data from them.

PCWorld: How do criminals smuggle so many extortion viruses into companies?

Stelzhammer: There are two ways. One is mass attacks in which ransomware is sent to millions of e-mail addresses. Some careless employee will click on the link to the ransomware in the e-mail. And if the ransomware belongs to the one percent of malware that virus protection misses, the PC is infected.

On the other hand, there are also targeted social engineering attacks against a company with well-forged e-mails. Mostly, these are e-mails to the personnel department with a PDF attachment. The employees expect e-mails with PDF attachments and will click on the attachment.

PCWorld: Protection software usually comes in three equipment classes: Antivirus, Internet Security, and Total Security. Which variant do you recommend?

Stelzhammer: You should choose the version that contains all important protection mechanisms. Today there are good antivirus products that not only protect against harmful files, but also offer good behavior-based detection and have a built-in web filter against phishing sites. If a product has these features, it is sufficient. Better equipped products offer more comfort, but not necessarily more protection. You pay for the comfort.

PCWorld: Microsoft Defender usually scores worse in your comparison tests. Can you recommend the free on-board product?

Stelzhammer: Defender is sufficient for private use. But there are other free antivirus programs that offer more. I recommend taking a look at our comparison tests, which we provide on our website (www.av-comparatives.org). Read More