Q
Problem solve Get help with specific problems with your technologies, process and projects.

NotPetya malware: How does it detect security products?

Bitdefender discovered that the NotPetya malware changes its behavior when Kaspersky security products are detected. Nick Lewis explains how the malware's tricks work.

The recent strain of the NotPetya malware was observed changing its behavior when it detected Kaspersky security...

products on a system. In what way does the NotPetya malware adapt its behavior, and what may have caused this change?

One key idea that malware authors have is to change the functionality of their malware when it's under observation by a security tool or analysis. This could enable attackers to make it more difficult to analyze and protect against the malware, which could make their attacks more successful.

While some malware won't run when it detects a sandbox or antimalware tool, other malware will wait a predefined amount of time or take other steps to avoid analysis antimalware tools that detonate malware, and then monitor every system call or network connection. Malware will even choose to not infect systems with a certain language set or source IP address on the local system to limit its infections.

Security companies have resource constraints, and they must make decisions on how to best allocate their resources to protect their customers. Even if it requires significantly more manual resources to analyze, companies still want attacks to catch their attention, or for malware analysis to be prioritized to address attacks that impact more of their customers.

Bitdefender Labs researchers published a report on the NotPetya malware, also known as GoldenEye, which the company said was a targeted attack against Ukraine critical infrastructure disguised as a ransomware campaign. Bitdefender's report explained how the NotPetya malware adapted to make it more difficult to analyze by being able to check for Kaspersky security products on a system and change how NotPetya operates.

The malware checks for the presence of avp.exe by hashing the running processes to identify the tool in memory. When the updated NotPetya malware detects Kaspersky security products on a system, instead of replacing the master boot record (MBR) and manager with the NotPetya functionality, it works in data destruction mode in which it can overwrite parts of the MBR with malicious data so the system doesn't boot. While it's possible to recover the MBR and boot records to recover a system, this requires technical skills that most normal users likely don't have.

Bitdefender researchers told SearchSecurity that while NotPetya scans for Symantec antivirus products as well, the malware doesn't change its behavior based on those products being present in an infected system.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in February 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think that Kaspersky security products should be updated to block NotPetya, or do you think the malware will always be able to detect the product?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close