Skip to main content

“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks

Abstract

Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses, or AVs) and malware analysis solutions that are unable to correlate data from multiple sources. In this paper, we propose a technique for distributing the malware functions in several distinct “vanilla” processes to show that AVs can be easily evaded. Therefore, our technique allows malware to interleave of layers of attacks to remain undetected by current AVs. Our goal is to expose a real menace and to discuss it so as to provide insights for the development of better AVs. We discuss the role of distributed and multicore-based malware in current and future threat scenarios with practical examples that we specially crafted for testing (e.g., a distributed sample synchronized via cache side channels). We (i) review multi-threaded/processed implementation issues (from kernel and userland) and present a multi-core-based monitoring solution; (ii) present strategies for code distribution, exemplified via DLL injectors, and discuss their weak and strong points; and (iii) evaluate how real security solutions perform when exposed to distributed malware. We converted real, serial malware to parallel code and showed that current AVs are not fully able to detect multi-core malware.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Notes

  1. 1.

    December/2018.

References

  1. 1.

    Affairs, S.: Researchers spotted a new espionage campaign relying on a number of rats including the powerful trochilus threat. https://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html (2016)

  2. 2.

    AV-Test: the best antivirus software for windows home user. https://www.av-test.org/en/antivirus/home-windows (2018)

  3. 3.

    Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: Avleak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX. https://www.usenix.org/conference/woot16/workshop-program/presentation/blackthorne (2016)

  4. 4.

    Botacin, M., Geus, P.L.D., Grégio, A.: Enhancing branch monitoring for security purposes: from control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur. 21(1), 4:1–4:30 (2018). https://doi.org/10.1145/3152162

    Article  Google Scholar 

  5. 5.

    Botacin, M.F., de Geus, P.L., Grégio, A.R.A.: The other guys: automated analysis of marginalized malware. J. Comput. Virol. Hacking Tech. 14(1), 87–98 (2018). https://doi.org/10.1007/s11416-017-0292-8

    Article  Google Scholar 

  6. 6.

    Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment—Volume 9721, DIMVA 2016, pp. 207–227. Springer-Verlag New York, Inc., New York (2016). https://doi.org/10.1007/978-3-319-40667-1_11

    Chapter  Google Scholar 

  7. 7.

    Dirtycow: Dirty cow (cve-2016-5195). https://dirtycow.ninja/ (2016). Access Date: 2017

  8. 8.

    Gepner, P., Kowalik, M.F.: Multi-core processors: new way to achieve high system performance. In: International Symposium on Parallel Computing in Electrical Engineering (PARELEC’06), pp. 9–13 (2006). https://doi.org/10.1109/PARELEC.2006.54

  9. 9.

    Graziano, M.: Make DKOM attacks great again. http://www.mgraziano.info/docs/graziano_hackinbo16.pdf (2016)

  10. 10.

    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)

    Google Scholar 

  11. 11.

    Hybrid-analysis: Falcon sandbox. www.hybrid-analysis.com (2018)

  12. 12.

    ISecLab: Anubis. anubis.iseclab.org (2016)

  13. 13.

    Ispoglou, K.K., Payer, M.: malwash: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/woot16/workshop-program/presentation/ispoglou

  14. 14.

    Kaspersky: Overall statistics for 2015. https://securelist.com/files/2015/12/KSB_2015_Statistics_FINAL_EN.pdf (2015). Access 11 May 2016

  15. 15.

    Kindratenko, V.V., Enos, J.J., Shi, G., Showerman, M.T., Arnold, G.W., Stone, J.E., Phillips, J.C., Hwu, W.M.: GPU clusters for high-performance computing. In: 2009 IEEE International Conference on Cluster Computing and Workshops, pp. 1–8 (2009). https://doi.org/10.1109/CLUSTR.2009.5289128

  16. 16.

    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 285–296. ACM, New York (2011). https://doi.org/10.1145/2046707.2046740

  17. 17.

    Koufaty, D., Marr, D.T.: Hyperthreading technology in the netburst microarchitecture. IEEE Micro 23(2), 56–65 (2003). https://doi.org/10.1109/MM.2003.1196115

    Article  Google Scholar 

  18. 18.

    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York (2005). https://doi.org/10.1145/1065010.1065034

  19. 19.

    m0n0ph1: malware=1. https://github.com/m0n0ph1/malware-1 (2018)

  20. 20.

    Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1–2), 1–13 (2012). https://doi.org/10.1007/s11416-011-0157-5

    Article  Google Scholar 

  21. 21.

    malshare: malware database. http://malshare.com/ (2018)

  22. 22.

    malwr.com: Cuckoo-powered malware analysis sandbox. malwr.com (2016)

  23. 23.

    Marschalek, M.: Analysis report. https://www.ikarussecurity.com/fileadmin/user_upload/Download/Report_MarionMarschalek.pdf (2013)

  24. 24.

    Mattos, L.F., Divino, C., Salamanca, J., Carvalho, J.P., Pereira, M.M., Araujo, G.: Doacross parallelization based on component annotation and loop-carried probability. In: Proceedings of the 2018 SBAC-PAD, SBAC-PAD ’18 (2018)

  25. 25.

    Mcafee: Quarterly report. https://www.mcafee.com/br/resources/reports/rp-quarterly-threats-mar-2017.pdf (2017)

  26. 26.

    Microsoft: Finding the process id. https://msdn.microsoft.com/en-us/library/windows/hardware/ff545415(v=vs.85).aspx

  27. 27.

    Microsoft: Getcurrentprocessid function. https://msdn.microsoft.com/pt-br/library/windows/desktop/ms683180(v=vs.85).aspx

  28. 28.

    Microsoft: Getcurrentthreadid function. https://msdn.microsoft.com/pt-br/library/windows/desktop/ms683183(v=vs.85).aspx

  29. 29.

    Microsoft: Getlogicalprocessorinformation function. https://msdn.microsoft.com/en-us/library/ms683194(v=VS.85).aspx

  30. 30.

    Microsoft: Getprocessid function. https://msdn.microsoft.com/pt-br/library/windows/desktop/ms683215(v=vs.85).aspx

  31. 31.

    Microsoft: Getthreadid function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683233(v=vs.85).aspx

  32. 32.

    Microsoft: Introduction to thread objects. https://msdn.microsoft.com/en-us/library/windows/hardware/ff548146(v=vs.85).aspx

  33. 33.

    Microsoft: Peb structure. https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx

  34. 34.

    Microsoft: Teb structure. https://msdn.microsoft.com/pt-br/library/windows/desktop/ms686708(v=vs.85).aspx

  35. 35.

    Microsoft: What’s new in processes and threads. https://msdn.microsoft.com/en-us/library/windows/desktop/dd405527(v=vs.85).aspx

  36. 36.

    Microsoft: Locks, deadlocks, and synchronization. http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/locks.doc (2006)

  37. 37.

    Microsoft: Winmain is just the conventional name for the win32 process entry point. https://devblogs.microsoft.com/oldnewthing/20110525-00/?p=10573 (2011)

  38. 38.

    Microsoft: Getcurrentprocessornumber function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683181(v=vs.85).aspx (2016). Access Date: 2017

  39. 39.

    Microsoft: introduction to spin locks. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-spin-locks (2018)

  40. 40.

    microsoft: thread handles and identifiers. https://docs.microsoft.com/en-us/windows/desktop/procthread/thread-handles-and-identifiers (2018)

  41. 41.

    Netmarketshare: operating system market share. https://www.netmarketshare.com/operating-system-market-share.aspx (2018)

  42. 42.

    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: Iotpot: analysing the rise of IoT compromises. In: Proceedings of the 9th USENIX Conference on Offensive Technologies, WOOT’15, pp. 9–9. USENIX Association, Berkeley (2015). http://dl.acm.org/citation.cfm?id=2831211.2831220

  43. 43.

    Prince, B.: Script fragmentation attack could allow hackers to dodge anti-virus detection. http://www.eweek.com/security/script-fragmentation-attack-could-allow-hackers-to-dodge-anti-virus-detection (2018)

  44. 44.

    rohitab.com: Api monitor. http://www.rohitab.com/apimonitor

  45. 45.

    Russinovich, M., Solomon, D.A.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press, Redmond (2009)

    Google Scholar 

  46. 46.

    Sanford, M.: Computer viruses and malware by john aycock. SIGACT News 41(1), 44–47 (2010). https://doi.org/10.1145/1753171.1753184

    Article  Google Scholar 

  47. 47.

    Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: Avclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 230–253. Springer, Cham (2016)

    Chapter  Google Scholar 

  48. 48.

    SecureList: the inevitable move—64-bit zeus enhanced with tor. https://securelist.com/the-inevitable-move-64-bit-zeus-enhanced-with-tor/58184/ (2013)

  49. 49.

    Security, P.: Alina, the latest pos malware. https://www.pandasecurity.com/mediacenter/pandalabs/alina-pos-malware/ (2017)

  50. 50.

    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP ’07, pp. 335–350. ACM, New York (2007). https://doi.org/10.1145/1294261.1294294

  51. 51.

    TrustWave: The dexter malware: getting your hands dirty. https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/ (2012)

  52. 52.

    VirusTotal: Virustotal. https://www.virustotal.com (2018)

  53. 53.

    Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732. USENIX Association, San Diego. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom (2014)

Download references

Acknowledgements

This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, PhD Scholarship, process 164745/2017-3) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Marcus Botacin.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Botacin, M., de Geus, P.L. & Grégio, A. “VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks. J Comput Virol Hack Tech 15, 233–247 (2019). https://doi.org/10.1007/s11416-019-00333-y

Download citation

Keywords

  • Malware
  • Multi-core
  • DLL injection
  • Cache side-channel