NotPetya malware: How does it detect security products?

The recent strain of the NotPetya malware was observed changing its behavior when it detected Kaspersky security products on a system. In what way does the NotPetya malware adapt its behavior, and what may have caused this change?

One key idea that malware authors have is to change the functionality of their malware when it's under observation by a security tool or analysis. This could enable attackers to make it more difficult to analyze and protect against the malware, which could make their attacks more successful.

While some malware won't run when it detects a sandbox or antimalware tool, other malware will wait a predefined amount of time or take other steps to avoid analysis antimalware tools that detonate malware, and then monitor every system call or network connection. Malware will even choose to not infect systems with a certain language set or source IP address on the local system to limit its infections.

Security companies have resource constraints, and they must make decisions on how to best allocate their resources to protect their customers. Even if it requires significantly more manual resources to analyze, companies still want attacks to catch their attention, or for malware analysis to be prioritized to address attacks that impact more of their customers.

Bitdefender Labs researchers published a report on the NotPetya malware, also known as GoldenEye, which the company said was a targeted attack against Ukraine critical infrastructure disguised as a ransomware campaign. Bitdefender's report explained how the NotPetya malware adapted to make it more difficult to analyze by being able to check for Kaspersky security products on a system and change how NotPetya operates.

The malware checks for the presence of avp.exe by hashing the running processes to identify the tool in memory. When the updated NotPetya malware detects Kaspersky security products on a system, instead of replacing the Master Boot Record (MBR) and manager with the NotPetya functionality, it works in data destruction mode in which it can overwrite parts of the MBR with malicious data so the system doesn't boot. While it's possible to recover the MBR and boot records to recover a system, this requires technical skills that most normal users likely don't have.

Bitdefender researchers told SearchSecurity that while NotPetya scans for Symantec antivirus products as well, the malware doesn't change its behavior based on those products being present in an infected system.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)