Skip to main content

“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks


Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses, or AVs) and malware analysis solutions that are unable to correlate data from multiple sources. In this paper, we propose a technique for distributing the malware functions in several distinct “vanilla” processes to show that AVs can be easily evaded. Therefore, our technique allows malware to interleave of layers of attacks to remain undetected by current AVs. Our goal is to expose a real menace and to discuss it so as to provide insights for the development of better AVs. We discuss the role of distributed and multicore-based malware in current and future threat scenarios with practical examples that we specially crafted for testing (e.g., a distributed sample synchronized via cache side channels). We (i) review multi-threaded/processed implementation issues (from kernel and userland) and present a multi-core-based monitoring solution; (ii) present strategies for code distribution, exemplified via DLL injectors, and discuss their weak and strong points; and (iii) evaluate how real security solutions perform when exposed to distributed malware. We converted real, serial malware to parallel code and showed that current AVs are not fully able to detect multi-core malware.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. 1.



  1. 1.

    Affairs, S.: Researchers spotted a new espionage campaign relying on a number of rats including the powerful trochilus threat. (2016)

  2. 2.

    AV-Test: the best antivirus software for windows home user. (2018)

  3. 3.

    Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: Avleak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX. (2016)

  4. 4.

    Botacin, M., Geus, P.L.D., Grégio, A.: Enhancing branch monitoring for security purposes: from control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur. 21(1), 4:1–4:30 (2018).

    Article  Google Scholar 

  5. 5.

    Botacin, M.F., de Geus, P.L., Grégio, A.R.A.: The other guys: automated analysis of marginalized malware. J. Comput. Virol. Hacking Tech. 14(1), 87–98 (2018).

    Article  Google Scholar 

  6. 6.

    Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment—Volume 9721, DIMVA 2016, pp. 207–227. Springer-Verlag New York, Inc., New York (2016).

    Chapter  Google Scholar 

  7. 7.

    Dirtycow: Dirty cow (cve-2016-5195). (2016). Access Date: 2017

  8. 8.

    Gepner, P., Kowalik, M.F.: Multi-core processors: new way to achieve high system performance. In: International Symposium on Parallel Computing in Electrical Engineering (PARELEC’06), pp. 9–13 (2006).

  9. 9.

    Graziano, M.: Make DKOM attacks great again. (2016)

  10. 10.

    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)

    Google Scholar 

  11. 11.

    Hybrid-analysis: Falcon sandbox. (2018)

  12. 12.

    ISecLab: Anubis. (2016)

  13. 13.

    Ispoglou, K.K., Payer, M.: malwash: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX (2016).

  14. 14.

    Kaspersky: Overall statistics for 2015. (2015). Access 11 May 2016

  15. 15.

    Kindratenko, V.V., Enos, J.J., Shi, G., Showerman, M.T., Arnold, G.W., Stone, J.E., Phillips, J.C., Hwu, W.M.: GPU clusters for high-performance computing. In: 2009 IEEE International Conference on Cluster Computing and Workshops, pp. 1–8 (2009).

  16. 16.

    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 285–296. ACM, New York (2011).

  17. 17.

    Koufaty, D., Marr, D.T.: Hyperthreading technology in the netburst microarchitecture. IEEE Micro 23(2), 56–65 (2003).

    Article  Google Scholar 

  18. 18.

    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York (2005).

  19. 19.

    m0n0ph1: malware=1. (2018)

  20. 20.

    Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1–2), 1–13 (2012).

    Article  Google Scholar 

  21. 21.

    malshare: malware database. (2018)

  22. 22. Cuckoo-powered malware analysis sandbox. (2016)

  23. 23.

    Marschalek, M.: Analysis report. (2013)

  24. 24.

    Mattos, L.F., Divino, C., Salamanca, J., Carvalho, J.P., Pereira, M.M., Araujo, G.: Doacross parallelization based on component annotation and loop-carried probability. In: Proceedings of the 2018 SBAC-PAD, SBAC-PAD ’18 (2018)

  25. 25.

    Mcafee: Quarterly report. (2017)

  26. 26.

    Microsoft: Finding the process id.

  27. 27.

    Microsoft: Getcurrentprocessid function.

  28. 28.

    Microsoft: Getcurrentthreadid function.

  29. 29.

    Microsoft: Getlogicalprocessorinformation function.

  30. 30.

    Microsoft: Getprocessid function.

  31. 31.

    Microsoft: Getthreadid function.

  32. 32.

    Microsoft: Introduction to thread objects.

  33. 33.

    Microsoft: Peb structure.

  34. 34.

    Microsoft: Teb structure.

  35. 35.

    Microsoft: What’s new in processes and threads.

  36. 36.

    Microsoft: Locks, deadlocks, and synchronization. (2006)

  37. 37.

    Microsoft: Winmain is just the conventional name for the win32 process entry point. (2011)

  38. 38.

    Microsoft: Getcurrentprocessornumber function. (2016). Access Date: 2017

  39. 39.

    Microsoft: introduction to spin locks. (2018)

  40. 40.

    microsoft: thread handles and identifiers. (2018)

  41. 41.

    Netmarketshare: operating system market share. (2018)

  42. 42.

    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: Iotpot: analysing the rise of IoT compromises. In: Proceedings of the 9th USENIX Conference on Offensive Technologies, WOOT’15, pp. 9–9. USENIX Association, Berkeley (2015).

  43. 43.

    Prince, B.: Script fragmentation attack could allow hackers to dodge anti-virus detection. (2018)

  44. 44. Api monitor.

  45. 45.

    Russinovich, M., Solomon, D.A.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press, Redmond (2009)

    Google Scholar 

  46. 46.

    Sanford, M.: Computer viruses and malware by john aycock. SIGACT News 41(1), 44–47 (2010).

    Article  Google Scholar 

  47. 47.

    Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: Avclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 230–253. Springer, Cham (2016)

    Chapter  Google Scholar 

  48. 48.

    SecureList: the inevitable move—64-bit zeus enhanced with tor. (2013)

  49. 49.

    Security, P.: Alina, the latest pos malware. (2017)

  50. 50.

    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP ’07, pp. 335–350. ACM, New York (2007).

  51. 51.

    TrustWave: The dexter malware: getting your hands dirty. (2012)

  52. 52.

    VirusTotal: Virustotal. (2018)

  53. 53.

    Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732. USENIX Association, San Diego. (2014)

Download references


This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, PhD Scholarship, process 164745/2017-3) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).

Author information



Corresponding author

Correspondence to Marcus Botacin.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Botacin, M., de Geus, P.L. & Grégio, A. “VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks. J Comput Virol Hack Tech 15, 233–247 (2019).

Download citation


  • Malware
  • Multi-core
  • DLL injection
  • Cache side-channel