Shadow attacks: automatically evading system-call-behavior based malware detection

Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, we present a new class of attacks, namely ??shadow attacks??, to evade current behavior-based malware detectors by partitioning one piece of malware into multiple ??shadow processes??. None of the shadow processes contains a recognizable malicious behavior specification known to single-process-based malware detectors, yet those shadow processes as an ensemble can still fulfill the original malicious functionality. To demonstrate the feasibility of this attack, we have developed a compiler-level prototype tool, AutoShadow, to automatically generate shadow-process version of malware given the source code of original malware. Our preliminary result has demonstrated the effectiveness of shadow attacks in evading several behavior-based malware analysis/detection solutions in real world. With the increasing adoption of multi-core computers and multi-process programs, malware writers may exploit more such shadow attacks in the future. We hope our preliminary study can foster more discussion and research to improve current generation of behavior-based malware detectors to address this great potential threat before it becomes a security problem of the epidemic proportions.     

Clustering versus SVM for malware detection

Previous work has shown that cluster analysis can be used to effectively classify malware into meaningful families. In this research, we apply cluster analysis to the challenging problem of classifying previously unknown malware. We perform several experiments involving malware clustering. We compare our clustering results to those obtained when a support vector machine (SVM) is trained on the malware family. Using clustering, we are able to classify malware with an accuracy comparable to that of an SVM. An advantage of the clustering approach is that a new malware family can be classified before a model has been trained specifically for the family.     

Reducing the window of opportunity for Android malware Gotta catch ’em all

Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users?? side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3?months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs?? Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.     

Symbian worm Yxes: towards mobile botnets?

In 2009, a new Symbian malware named SymbOS/Yxes was detected and quickly hit the headlines as one of the first malware for Symbian OS 9 and above all as the foretaste of a mobile botnet. Yet, detailed analysis of the malware were still missing. This paper addresses this issue and details how the malware silently connects to the Internet, installs new malware or spreads to other victims. Each of these points are illustrated with commented assembly code taken from the malware or re-generated Symbian API calls. Besides those implementation aspects, the paper also provides a global overview of Yxes??s behaviour. It explains how malicious remote servers participate in the configuration and propagation of the malware, including Yxes??s similarities with a botnet. It also tries to shed light on some incomplete or misleading statements in prior press articles. Those statements are corrected, based on the reverse engineering evidence previously. Finally, the paper concludes on Yxes??s importance and the lack of security on mobile phones. It also indicates several aspects future work should focus on such as communication decryption, tools to analyze embedded malware or cybercriminals motivations.     

Deciphering malware’s use of TLS (without decryption)

The use of TLS by malware poses new challenges to network threat detection because traditional pattern-matching techniques can no longer be applied to its messages. However, TLS also introduces a complex set of observable data features that allow many inferences to be made about both the client and the server. We show that these features can be used to detect and understand malware communication, while at the same time preserving the privacy of the benign uses of encryption. These data features also allow for accurate malware family attribution of network communication, even when restricted to a single, encrypted flow. To demonstrate this, we performed a detailed study of how TLS is used by malware and enterprise applications. We provide a general analysis on millions of TLS encrypted flows, and a targeted study on 18 malware families composed of thousands of unique malware samples and tens-of-thousands of malicious TLS flows. Importantly, we identify and accommodate for the bias introduced by the use of a malware sandbox. We show that the performance of a malware classifier is correlated with a malware family’s use of TLS, i.e., malware families that actively evolve their use of cryptography are more difficult to classify. We conclude that malware’s usage of TLS is distinct in an enterprise setting, and that these differences can be effectively used in rules and machine learning classifiers.     

Detecting machine-morphed malware variants via engine attribution

One method malware authors use to defeat detection of their programs is to use morphing engines to rapidly generate a large number of variants. Inspired by previous works in author attribution of natural language text, we investigate a problem of attributing a malware to a morphing engine. Specifically, we present the malware engine attribution problem and formally define its three variations: MVRP, DENSITY and GEN, that reflect the challenges malware analysts face nowadays. We design and implement heuristics to address these problems and show their effectiveness on a set of well-known malware morphing engines and a real-world malware collection reaching detection accuracies of 96 % and higher. Our experiments confirm the applicability of the proposed approach in practice and indicate that engine attribution may offer a viable enhancement of current defenses against malware.     

What’s in a name. . . generator?

Domain generation algorithms can be used for registering spamming and phishing sites, as well as by botnets for domain flux. In this paper we study Kwyjibo, a more sophisticated domain/word generation algorithm that is able to produce over 48 million distinct pronounceable words. We show through four different implementations how Kwyjibo might be deployed and how its size can be reduced to under 163KiB using a technique we call ??lossy distribution compression??. This means that Kwyjibo is both powerful as well as small enough to be used by malware on mobile devices.     

深度可分离卷积在Android恶意软件分类的应用研究

传统机器学习在恶意软件分析上需要复杂的特征工程,不适用于大规模的恶意软件分析。为提高在Android恶意软件上的检测效率,将Android恶意软件字节码文件映射成灰阶图像,综合利用深度可分离卷积（depthwise separable convolution,DSC）和注意力机制提出基于全局注意力模块（GCBAM）的Android恶意软件分类模型。从APK文件中提取字节码文件,将字节码文件转换为对应的灰阶图像,通过构建基于GCBAM的分类模型对图像数据集进行训练,使其具有Android恶意软件分类能力。实验表明,该模型对Android恶意软件家族能有效分类,在获取的7 630个样本上,分类准确率达到98.91%,相比机器学习算法在准确率、召回率等均具有较优效果。     

Packer identification using Byte plot and Markov plot

Malware is one of the major concerns in computer security. The availability of easy to use malware toolkits and internet popularity has led to the increase in number of malware attacks. Currently signature based malware detection techniques are widely used. However, malware authors use packing techniques to create new variants of existing malwares which defeat signature based malware detection. So, it is very important to identify packed malware and unpack it before analysis. Dynamic unpacking runs the packed executable and provides an unpacked version based on the system. This technique requires dedicated hardware and is computationally expensive. As each individual packer uses its own unpacking algorithm it is important to have a prior knowledge about the packer used, in order to assist in reverse engineering. In this paper, we propose an efficient framework for packer identification problem using Byte plot and Markov plot. First packed malware is converted to Byte plot and Markov plot. Later Gabor and wavelet based features are extracted from Byte plot and Markov plot. We used SVMs (Support Vector Machine) in our analysis. We performed our experiments on nine different packers and we obtained about 95 % accuracy for nine of the packers. Our results show features extracted from Markov plot outperformed features extracted from Byte plot by about 3 %. We compare the performance of Markov plot with PEID (Signature based PE identification tool). Our results show Markov plot produced better accuracy when compared to PEID. We also performed multi class classification using Random Forest and achieved 81 % accuracy using Markov plot based features.     

Software transformations to improve malware detection

Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware transformer can drastically improve the detection rates of commercial malware detectors.     

恶意代码分类的一种高维特征融合分析方法

恶意代码分类是一种基于特征进行恶意代码自动家族类别划分的分析方法。恶意代码的多维度特征融合与深度处理,是恶意代码分类研究的一种发展趋势,也是恶意代码分类研究的一个难点问题。本文提出了一种适用于恶意代码分类的高维特征融合方法,对恶意代码的静态二进制文件和反汇编特征等进行提取,借鉴SimHash的局部敏感性思想,对多维特征进行融合分析和处理,最后基于典型的机器学习方法对融合后的特征向量进行学习训练。实验结果和分析表明,该方法能够适应于样本特征维度高而样本数量较少的恶意代码分类场景,而且能够提升分类学习的时间性能。     

Structural entropy and metamorphic malware

Metamorphic malware is capable of changing its internal structure without altering its functionality. A common signature is nonexistent in highly metamorphic malware and, consequently, such malware can remain undetected under standard signature scanning. In this paper, we apply previous work on structural entropy to the metamorphic detection problem. This technique relies on an analysis of variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the segmentation stage, we use entropy measurements and wavelet analysis to segment files. The second stage measures the similarity of file pairs by computing an edit distance between the sequences of segments obtained in the first stage. We apply this similarity measure to the metamorphic detection problem and show that we obtain strong results in certain challenging cases.     

DroidChain: A novel Android malware detection method based on behavior chains

The drastic increase of Android malware has led to strong interest in automating malware analysis. In this paper, to fight against malware variants and zero-day malware, we proposed DroidChain: a method combining static analysis and a behavior chain model. We transform the malware detection problem into more accessible matrix form. Using this method, we propose four kinds of malware models, including privacy leakage, SMS financial charges, malware installation, and privilege escalation. To reduce time complexity, we propose the WxShall-extend algorithm. We had moved the prototype to GitHub and evaluate using 1260 malware samples. Experimental malware detection results demonstrate accuracy, precision, and recall of 73%–93%, 71%–99%, and 42%–92%, respectively. Calculation time accounts for 6.58% of the well-known Warshall algorithm’s expense. Results demonstrate that our method, which can detect four kinds of malware simultaneously, is better than Androguard and Kirin.     

A boosting ensemble for the recognition of code sharing in malware

Research and development efforts have recently started to compare malware variants, as it is believed that malware authors are reusing code. A number of these projects have focused on identifying functions through the use of signature-based classifiers. We introduce three new classifiers that characterize a function’s use of global data. Experiments on malware show that we can meaningfully correlate functions on the basis of their global data references even when their functions share little code. We also present an algorithm that combines existing classifiers and our new ones into an ensemble for correlating functions in two binary programs. For testing, we developed a model for comparing our work to previous signature based classifiers. We then used that model to show how our new combined ensemble classifier dominates the previously reported classifiers. The resulting ensemble can be used by malware analysts when they are comparing two binaries. This technique will allow them to correlate both functions and global data references between the two and will lead to a quick identification of any sharing that is occurring.     

Anti-emulation trends in modern packers: a survey on the evolution of anti-emulation techniques in UPA packers

Writing modern day executable packers has turned into a rather profitable business. In many cases, the reason for packing is not protecting genuine applications against piracy or plagiarism, but rather avoiding reverse-engineering and detection of malicious samples. Unlike developers, which show moderate interest for using a packer and lack time and resources for creating one, malware creators show a huge interest and are willing to spend large amounts of money to use this technology (especially if it offers protection against security solutions). This happens mainly because protecting from piracy and plagiarism isn’t that profitable as spreading new and undetected malware on as many computers as possible. Consequently, creating a custom packer designed to avoid malware detection has grown into a very profitable business.However, developing a good packer is not an easy task to accomplish. Novel techniques of achieving anti-static analysis, anti-virtual machine, anti-sandbox, anti-emulation, anti-debugging, anti-patching, and so on, have to be discovered and added regularly. From the malware creator’s perspective, this must happen frequently enough so that the updates are issued shortly after malware researchers analyze and bypass the existing mechanisms because, once these techniques are bypassed, the detection rate increases in the case of the malware samples packed with the old version of the packer.In this paper, we present our findings which resulted from closely monitoring the fight between malware researchers and packer developers during a period of almost two years. We focus on three different packers used for prevalent malware families like Upatre, Gamarue, Hedsen. We named those packers UPA 1, UPA 2, and UPA 3 and we discuss the mechanisms used in them to achieve anti-emulation. Each technique is presented by listing the code and explaining the inner workings in details. In the end, we manage to get a grasp of the current trends in achieving anti-emulation when developing modern packers.     

Detection of metamorphic and virtualization-based malware using algebraic specification

We present an overview of the latest developments in the detection of metamorphic and virtualization-based malware using an algebraic specification of the Intel 64 assembly programming language. After giving an overview of related work, we describe the development of a specification of a subset of the Intel 64 instruction set in Maude, an advanced formal algebraic specification tool. We develop the technique of metamorphic malware detection based on equivalence-in-context so that it is applicable to imperative programming languages in general, and we give two detailed examples of how this might be used in a practical setting to detect metamorphic malware. We discuss the application of these techniques within anti-virus software, and give a proof-of-concept system for defeating detection counter-measures used by virtualization-based malware, which is based on our Maude specification of Intel 64. Finally, we compare formal and informal approaches to malware detection, and give some directions for future research.     

Classification of malware based on integrated static and dynamic features

Collection of dynamic information requires that malware be executed in a controlled environment; the malware unpacks itself as a preliminary to the execution process. On the other hand, while execution of malware is not needed in order to collect static information, the file must first be unpacked manually. None-the-less, if a file has been executed, it is possible to use both static and dynamic information in designing a single classification method.In this paper, we present the first classification method integrating static and dynamic features into a single test. Our approach improves on previous results based on individual features and reduces by half the time needed to test such features separately.Robustness to changes in malware development is tested by comparing results on two sets of malware, the first collected between 2003 and 2007, and the second collected between 2009 and 2010. When classifying the older set as compared to the entire data set, our integrated test demonstrates significantly more robustness than previous methods by losing just 2.7% in accuracy as opposed to a drop of 7%. We conclude that to achieve acceptable accuracy in classifying the latest malware, some older malware should be included in the set of data.     

A comparison of static,dynamic, and hybrid analysis for malware detection

In this research, we compare malware detection techniques based on static, dynamic, and hybrid analysis. Specifically, we train Hidden Markov Models (HMMs) on both static and dynamic feature sets and compare the resulting detection rates over a substantial number of malware families. We also consider hybrid cases, where dynamic analysis is used in the training phase, with static techniques used in the detection phase, and vice versa. In our experiments, a fully dynamic approach generally yields the best detection rates. We discuss the implications of this research for malware detection based on hybrid techniques.     

A Game Theoretical Method for Cost-Benefit Analysis of Malware Dissemination Prevention

ABSTRACT

Literature in malware proliferation focuses on modeling and analyzing its spread dynamics. Epidemiology models, which are inspired by the characteristics of biological disease spread in human populations, have been used against this threat to analyze the way malware spreads in a network. This work presents a modified version of the commonly used epidemiology models Susceptible Infected Recovered (SIR) and Susceptible Infected Susceptible (SIS), which incorporates the ability to capture the relationships between nodes within a network, along with their effect on malware dissemination process. Drawing upon a model that illustrates the network’s behavior based on the attacker’s and the defender’s choices, we use game theory to compute optimal strategies for the defender to minimize the effect of malware spread, at the same time minimizing the security cost. We consider three defense mechanisms: patch, removal, and patch and removal, which correspond to the defender’s strategy and use probabilistically with a certain rate. The attacker chooses the type of attack according to its effectiveness and cost. Through the interaction between the two opponents we infer the optimal strategy for both players, known as Nash Equilibrium, evaluating the related payoffs. Hence, our model provides a cost-benefit risk management framework for managing malware spread in computer networks.