Abstract
Modern computing platforms have progressed to more secure environments with various defensive techniques such as application-based permission and application whitelisting. In addition, anti-virus solutions are improving their detection techniques, especially based on behavioural properties. To overcome these hurdles, the adversary has been developing malware techniques including the use of legitimate digital certificates; hence it is important to explore possible offensive techniques in a security-improved environment.
In this paper, first we propose the new technique of feature-distributed malware that dynamically distributes its features to multiple software components in order to bypass various security mechanisms such as application whitelisting and anti-virus’ behavioural detection. To evaluate our approach, we have implemented a tool that automatically generates such malware instances, and have performed a series of experiments showing the risks of such advanced malware. We also suggest an effective defence mechanism. It prevents loading of malicious components by utilising digital certificates of software components. We have implemented a Windows service that provides our defence mechanism, and evaluated it against the proposed malware. Another useful characteristic of our defence is that it is capable of blocking general abuse of legitimate digital certificates with dynamic software component loading.
Chapter PDF
Similar content being viewed by others
References
Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: IEEE S&P, San Francisco, CA, USA (2012)
Min, B., Varadharajan, V.: Deep analysis on recent malware incidents. Technical report (2012)
Kaspersky Lab: Unveiling “Careto” - The Masked APT. Technical report (February 2014)
Kaspersky Lab: Gauss: Abnormal Distribution. Technical report (August 2012)
Anity Labs: Analysis Report on Flame Worm Samples. Technical report (July 2012)
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier. Technical report (2011)
Chien, E., Murchu, L.O., Falliere, N.: W32.Duqu The precursor to the next Stuxnet. Technical report (November 2011)
Kwon, T., Su, Z.: Automatic detection of unsafe component loadings. In: ISSTA, Trento, Italy (2010)
Tarakanov, D.: Shamoon the Wiper in details (August 2012), http://www.securelist.com/en/blog/208193795/Shamoon_the_Wiper_in_details
Murad, K., Shirazi, S.N.-u.-H., Zikria, Y.B., Ikram, N.: Evading Virus Detection Using Code Obfuscation. In: Kim, T.-h., Lee, Y.-h., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 394–401. Springer, Heidelberg (2010)
O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: The Hidden Malware. IEEE Security & Privacy 9(5), 41–47 (2011)
Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in Malware: from Encryption to Metamorphism. International Journal of Computer Science and Network Security 12(8), 74–83 (2012)
Oberheide, J., Bailey, M., Jahanian, F.: PolyPack: an automated online packing service for optimal antivirus evasion. In: Proceedings of the 3rd USENIX Workshop on offensive technologies, Montreal, Canada (2009)
Alvarez, S., Zoller, T.: The Death of AV Defense in Depth? - revisiting Anti-Virus Software. In: CanSecWest, Vancouver, B.C., Canada (2008)
Alvarez, S.: Antivirus (In) Security. In: CCC (Chaos Communication Camp), Finowfurt, Germany (2007)
Jana, S., Shmatikov, V.: Abusing File Processing in Malware Detectors for Fun and Profit. In: IEEE Symposium on Security and Privacy (S&P) 2012, San Francisco, CA, USA, pp. 80–94 (2012)
Porst, S.: How to really obfuscate your PDF malware. In: ReCon, Montreal, Canada (July 2010)
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: CCS 2012, Raleigh, NC, USA (October 2012)
Apple: About the security content of Safari 3.1.2 for Windows (April 2012), http://support.apple.com/kb/HT2092
Min, B., Varadharajan, V., Tupakula, U.K., Hitchens, M.: Antivirus security: naked during updates. Software: Practice and Experience (April 2013) (accepted)
ENISA: Appropriate security measures for smart grids. Technical report (December 2012)
PCI Security Standards Council: Payment Card Industry (PCI) Data Security Standard. Technical report (October 2010)
US-CERT: Malware Threats and Mitigation Strategies. Technical report (May 2005)
Tripwire: Assure system integrity, best of breed file integrity monitoring (2014), http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring
Arnold, M.: Tripwire Policy (May 2010), http://www.razorsedge.org/~mike/docs/tripwire.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Min, B., Varadharajan, V. (2014). Feature-Distributed Malware Attack: Risk and Defence. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8713. Springer, Cham. https://doi.org/10.1007/978-3-319-11212-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-11212-1_26
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11211-4
Online ISBN: 978-3-319-11212-1
eBook Packages: Computer ScienceComputer Science (R0)