research-article

Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks

Authors:

Christian Wressnegger,

Fabian Yamaguchi,

Konrad RieckAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 587 - 598

https://doi.org/10.1145/3052973.3053002

Published: 02 April 2017 Publication History

Abstract

Although anti-virus software has significantly evolved over the last decade, classic signature matching based on byte patterns is still a prevalent concept for identifying security threats. Anti-virus signatures are a simple and fast detection mechanism that can complement more sophisticated analysis strategies. However, if signatures are not designed with care, they can turn from a defensive mechanism into an instrument of attack. In this paper, we present a novel method for automatically deriving signatures from anti-virus software and discuss how the extracted signatures can be used to attack sensible data with the aid of the virus scanner itself. To this end, we study the practicability of our approach using four commercial products and exemplary demonstrate anti-virus assisted attacks in three different scenarios.

References

[1]

A. V. Aho and M. J. Corasick. Efficient string matching: An aid to bibliographic search. Communications of the ACM, 18 (6): 80--82, 1975.

Digital Library

[2]

S. Alvarez and T. Zoller. The death of AV defense in depth? Revisiting anti-virus software. Presentation at CanSecWest, 2008.

[3]

J. Aycock. Computer Viruses and Malware. Springer, 2006.

Digital Library

[4]

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In Proc. of International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.

Digital Library

[5]

M. K. Base. Importing and exporting your mail. http://kb.mozillazine.org/Importing_and_exporting_your_mail#Mbox_files, visited Feb. 2017.

[6]

J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener. AVLeak: Fingerprinting antivirus emulators through black-box testing. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2016.

Digital Library

[7]

ner and Scheffer(2011)}BruSch11M. Brückner and T. Scheffer. Stackelberg games for adversarial prediction problems. In Proc. of International Conference on Knowledge Discovery and Data Mining (KDD), 2011.

Digital Library

[8]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proc. of IEEE Symposium on Security and Privacy, 2006.

Digital Library

[9]

M. Christodorescu and S. Jha. Testing malware detectors. In Proc. of International Symposium on Software Testing and Analysis (ISSTA), 2004.

Digital Library

[10]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proc. of IEEE Symposium on Security and Privacy, 2005.

Digital Library

[11]

Christodorescu, Jha, and Kruegel}ChrJhaKru07M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proc. of European Software Engineering Conference (ESEC), 2007.

Digital Library

[12]

M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Software transformations to improve malware detection. Journal in Computer Virology (JICV), 3 (4): 253--265, 2007.

[13]

C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser JavaScript malware detection. In Proc. of USENIX Security Symposium, 2011.

Digital Library

[14]

P. Ferrie. Anti-unpacker tricks 1. Virus Bulletin, 2008.

[15]

E. Filiol. Malware pattern scanning schemes secure against black-box analysis. 2 (1): 35--50, 2016.

[16]

A. Fishman and M. Marquis-Boire. Popular security software came under relentless NSA and GCHQ attacks. https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky, 2015, visited Feb. 2017.

[17]

P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2006.

Digital Library

[18]

P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic blending attacks. In Proc. of USENIX Security Symposium, 2006.

Digital Library

[19]

K. Griffin, S. Schneider, X. Hu, and T. Chiueh. Automatic generation of string signatures for malware detection. In Proc. of International Symposium on Recent Advances in Intrusion Detection (RAID), 2009.

Digital Library

[20]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of USENIX Security Symposium, 2008.

Digital Library

[21]

G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008.

[22]

D. Gusfield. Algorithms on strings, trees, and sequences. Cambridge University Press, 1997.

Digital Library

[23]

L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar. Adversarial machine learning. In Proc. of ACM Workshop on Artificial Intelligence and Security (AISEC), 2011.

Digital Library

[24]

Intel Corporation. Intel® architecture instruction set extensions programming reference. Technical report, Intel Corporation, 2013.

[25]

S. Jana and V. Shmatikov. Abusing file processing in malware detectors for fun and profit. In Proc. of IEEE Symposium on Security and Privacy, 2012.

Digital Library

[26]

C. Jaquier and A. Busleiman. Fail2ban. http://www.fail2ban.org, visited Feb. 2017.

[27]

E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proc. of USENIX Security Symposium, 2006.

Digital Library

[28]

C. Kolbitsch, P. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security Symposium, 2009.

Digital Library

[29]

J. Koret. Breaking antivirus software. Presentation at SYSCAN, 2014.

[30]

C. Kruegel, D. Balzarotti, W. Robertson, and G. Vigna. Improving signature testing through dynamic data flow analysis. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2007.

[31]

A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. AccessMiner: Using system-centric models for malware protection. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2010.

Digital Library

[32]

V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Akademii Nauk SSSR, 163 (4): 845--848, 1966.

[33]

Z. Li, M. Sandhi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proc. of IEEE Symposium on Security and Privacy, 2006.

Digital Library

[34]

C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2003.

Digital Library

[35]

B. Min and V. Varadharajan. Design, implementation and evaluation of a novel anti-virus parasitic malware. In Proc. of ACM Symposium on Applied Computing (SAC), 2015.

Digital Library

[36]

V. Mohan and K. W. Hamlen. Frankenstein: Stitching malware from benign binaries. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2012.

Digital Library

[37]

A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2007.

[38]

D. Mutz, C. Kruegel, W. Robertson, G. Vigna, and R. A. Kemmerer. Reverse engineering of network signatures. In Proc. of the AusCERT Asia Pacific Information Technology Security Conference, 2005.

[39]

S. Needleman and C. Wunsch. A general method applicable to the search for similarties in the amino acid sequence of two proteins. Journal of Molecular Biology, 48: 443--453, 1970.

[40]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proc. of IEEE Symposium on Security and Privacy, 2005.

Digital Library

[41]

J. Newsome, B. Karp, and D. Song. Paragraph: Thwarting signature learning by training maliciously. In Proc. of International Symposium on Recent Advances in Intrusion Detection (RAID), 2006.

Digital Library

[42]

T. Ormandy. Sophail: A critical analysis of sophos antivirus. In Proc. of Black Hat USA, 2011.

[43]

T. Ormandy. Analysis and exploitation of an eset vulnerability. http://googleprojectzero.blogspot.de/2015/06/analysis-and-exploitation-of-eset.html, 2015, visited Feb. 2017.

[44]

T. Ormandy. Kaspersky: Mo unpackers, mo problems. http://googleprojectzero.blogspot.de/2015/09/kaspersky-mo-unpackers-mo-problems.html, 2015, visited Feb. 2017.

[45]

T. Ormandy. Fireeye exploitation: Project zero's vulnerability of the beast. http://googleprojectzero.blogspot.de/2015/12/fireeye-exploitation-project-zeros.html, 2015, visited Feb. 2017.

[46]

T. Ormandy. AVG: "Web TuneUP" extension multiple critical vulnerabilities. s://bugs.chromium.org/p/project-zero/issues/detail?id=675, 2015, visited Feb. 2017.

[47]

T. Ormandy. Symantec/norton antivirus aspack remote heap/pool memory corruption vulnerability cve-2016--2208. https://bugs.chromium.org/p/project-zero/issues/detail?id=820, 2016, visited Feb. 2017.

[48]

R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proc. of IEEE Symposium on Security and Privacy, 2006.

Digital Library

[49]

S. Porst. How to really obfuscate your pdf malware. ReCon, 2010.

[50]

M. D. Preda, M. Christodorescu, S. Jha, and S. Debray. A semantics-based approach to malware detection. In Proc. of ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 2007.

Digital Library

[51]

M. D. Preda, M. Christodorescu, S. Jha, and S. Debray. A semantics-based approach to malware detection. ACM Transactions on Programming Languages and Systems (TOPLAS), 30 (5), 2008.

Digital Library

[52]

V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: evaluating android anti-malware against transformation attacks. In Proc. of ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2013.

Digital Library

[53]

V. Rastogi, Y. Chen, and X. Jiang. Catch me if you can: Evaluating android anti-malware against transformation attacks. IEEE Transactions on Information Forensics and Security, 9 (1): 99--108, 2014.

Digital Library

[54]

M. Reiter and T. Yen. Traffic aggregation for malware detection. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2008.

Digital Library

[55]

S. Rubin, S. Jha, and B. P. Miller. Automatic generation and analysis of NIDS attacks. In Proc. of Annual Computer Security Applications Conference (ACSAC), 2004.

Digital Library

[56]

S. Rubin, S. Jha, and B. P. Miller. Language-based generation and evaluation of NIDS signatures. In Proc. of IEEE Symposium on Security and Privacy, 2005.

Digital Library

[57]

Sourcefire Vulnerability Research Team. Creating signatures for ClamAV. Technical report, Sourcefire Inc., 2015.

[58]

P. Szor. The art of computer virus research and defense. Symantec Press, 2005.

Digital Library

[59]

S. Venkataraman, A. Blum, and D. Song. Limits of learning-based signature generation with adversaries. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008.

[60]

G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2004.

Digital Library

[61]

N. Srndić and P. Laskov. Practical evasion of a learning-based classifier: A case study. In Proc. of IEEE Symposium on Security and Privacy, 2014.

Digital Library

[62]

B. Wiki. Dos/stoned incident. https://en.bitcoin.it/wiki/DOS/STONED_incident, visited Feb. 2017.

[63]

J. Wolf. OMG WTF PDF. Presentation at Chaos Computer Congress, 2010.

[64]

F. Xue. Attacking antivirus. In Proc. of Black Hat Europe, 2008.

[65]

M. Zheng, P. P. C. Lee, and J. C. S. Lui. ADAM: an automatic and extensible platform to stress test android anti-virus system. In Proc. of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2012.

Digital Library

Cited By

Saha SAfroz SRahman A(2024)MAlign: Explainable static raw-byte based malware family classification using sequence alignmentComputers & Security10.1016/j.cose.2024.103714(103714)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2024.103714
Samociuk D(2023)Antivirus Evasion Methods in Modern Operating SystemsApplied Sciences10.3390/app1308508313:8(5083)Online publication date: 19-Apr-2023
https://doi.org/10.3390/app13085083
Manzil HManohar Naik S(2023)Android malware category detection using a novel feature vector-based machine learning modelCybersecurity10.1186/s42400-023-00139-y6:1Online publication date: 9-Mar-2023
https://doi.org/10.1186/s42400-023-00139-y
Show More Cited By

Index Terms

Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

A novel malware for subversion of self-protection in anti-virus

Major anti-virus solutions have introduced a feature known as 'self-protection' so that malware and even users cannot modify or disable the core functionality of their products. In this paper, we have investigated 12 anti-virus products from four ...
Testing malware detectors

In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Testing malware detectors
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis

In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
520
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)6

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Saha SAfroz SRahman A(2024)MAlign: Explainable static raw-byte based malware family classification using sequence alignmentComputers & Security10.1016/j.cose.2024.103714(103714)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2024.103714
Samociuk D(2023)Antivirus Evasion Methods in Modern Operating SystemsApplied Sciences10.3390/app1308508313:8(5083)Online publication date: 19-Apr-2023
https://doi.org/10.3390/app13085083
Manzil HManohar Naik S(2023)Android malware category detection using a novel feature vector-based machine learning modelCybersecurity10.1186/s42400-023-00139-y6:1Online publication date: 9-Mar-2023
https://doi.org/10.1186/s42400-023-00139-y
Li SMing JQiu PChen QLiu LBao HWang QJia CMeng WJensen CCremers CKirda E(2023)PackGenome: Automatically Generating Robust YARA Rules for Accurate Malware Packer DetectionProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616625(3078-3092)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616625
Khare SSahay RKumar R(2023)Deployment of Blockchain in Cloud Computing- A Comprehensive Review2023 2nd International Conference for Innovation in Technology (INOCON)10.1109/INOCON57975.2023.10101317(1-6)Online publication date: 3-Mar-2023
https://doi.org/10.1109/INOCON57975.2023.10101317
Liu SPeng GZeng HFu J(2023)A Survey on the Evolution of Fileless Attacks and Detection TechniquesComputers & Security10.1016/j.cose.2023.103653(103653)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103653
Geng JWang JFang ZZhou YWu DGe W(2023)A Survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attackComputers & Security10.1016/j.cose.2023.103595(103595)Online publication date: Nov-2023
https://doi.org/10.1016/j.cose.2023.103595
Guntrum LGüldenring BKuntke FReuter C(2023)Using digitally mediated methods in sensitive contexts: a threat analysis and critical reflection on data security, privacy, and ethical concerns in the case of AfghanistanNutzung digitaler Methoden in sensiblen Kontexten: Eine Bedrohungsanalyse und kritische Reflexion über Datensicherheit, Privatsphäre und ethische Bedenken am Beispiel AfghanistansZeitschrift für Friedens- und Konfliktforschung10.1007/s42597-022-00088-211:2(95-128)Online publication date: 10-Jan-2023
https://doi.org/10.1007/s42597-022-00088-2
Matiti PKabanda S(2023)Factors Affecting Code Security in South African OrganizationSouth African Institute of Computer Scientists and Information Technologists10.1007/978-3-031-39652-6_13(200-210)Online publication date: 30-Jul-2023
https://doi.org/10.1007/978-3-031-39652-6_13
Aboshady DGhannam NElsayed EDiab L(2022)The Malware Detection Approach in the Design of Mobile ApplicationsSymmetry10.3390/sym1405083914:5(839)Online publication date: 19-Apr-2022
https://doi.org/10.3390/sym14050839
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents