Fully UnDetectable (FUD)
Detection of malware is typically done using virus definitions or signatures in a database. Security products, such as antiviruses, will scan files using a virus database to detect if the files are good or bad. They detect files as good if they don’t match an entry in the database and consider files bad if they do match an entry. It works almost like an advanced blacklist.
Malware authors understand how security products work and build malware that these products cannot detect. In the underground, there is a term for this, called Fully UnDetectable (FUD). FUD is malware that authors guarantee antivirus products will not detect.
Techniques
These adversaries use several different techniques to ensure their malicious programs are FUD. First, they use cryptors to encrypt their malware. This makes it hard for an antivirus to scan inside the file. Also, encrypting the file makes it unique, so that it does not exist in the virus database. Next, malware authors will scan their malware with antivirus programs using hidden services that work like VirusTotal. They create thousands of random unique copies of their malware saving only copies that can bypass security products. And finally, they use fileless techniques, zero-day exploits, and other methods to increase the chance of a successful attack.
The sheer number of virus attacks makes this problem worse. Some experts estimate that there are more than 1 million new unique malware files released each day, which breaks down to around 12 per second. With the increase in malware also comes an increase in virus definition size. Many antivirus vendors have long since removed signatures for older malware files. Some vendors have gone so far as removing all inactive signatures older than 6 months. Malware authors have reacted to this by rereleasing older viruses again, since they can no longer be detected.
The frequency of virus definition updates has also significantly increased. In the 80s it was typical to get updates once a month. By the 90s we saw that increase to once a week. Today most vendors release updates several times a day. Some products release updates as often as every 5 minutes.
Ransomware
However, even though updates are coming faster and faster, there is still a delay in how quickly vendors can find new viruses, classify them, and add them to their virus database. This can cause a delay of anywhere from 4 to 48 hours, making it possible for malware to infect a device before any antivirus can detect it. For normal viruses this delay might be acceptable, but for ransomware it is deadly because ransomware will start encrypting files as soon as it is installed. Even if antivirus can detect and remove the ransomware, it may be too late because the damage could have already been done.