Skip to main content
SpringerLink
Log in

Framework for understanding intention-unbreakable malware

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

The anti-analysis technology of malware has always been the focus in the cyberspace security field. As malware analysis techniques evolve, malware writers continually employ sophisticated anti-reverse engineering techniques to defeat and evade state-of-the-art analyzers. Therefore, to prepare for unknown attacks, studying malware analysis techniques is insufficient. More importantly, we should study new anti-analysis techniques for malware. This paper expands the concept of anti-analysis malware and defines a type of intention-unbreakable malware (IUM). To help defenders fully understand and establish a defense system against the new security threats, this paper systematically discusses IUM from the perspectives of threat discovery, threat modeling, attribute analysis, and threat assessment; in addition, this study also provides the PoC implementations of IUM and demonstrates how attackers can use this type of malware to evade advanced security analysis, that is, accurate identification of target (class) victims and intention concealment in reaching non-target (class) victims. Finally, this paper provides several mitigation directions for combating IUM.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Botacin M, da Rocha V F, de Geus P L, et al. Analysis, anti-analysis, anti-anti-analysis: an overview of the evasive malware scenario. Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, 2017, 17: 250–263

    Article  Google Scholar 

  2. Wang Q, Hassan W U, Li D, et al. You are what you do: hunting stealthy malware via data provenance analysis. In: Proceedings of the 27th Annual Network and Distributed System Security Symposium (NDSS). San Diego: The Internet Society, 2020. 1–17

    Google Scholar 

  3. Wagner D, Soto P. Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2002. 255–264

    Google Scholar 

  4. Fogla P, Sharif M I, Perdisci R, et al. Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006. 241–256

    Google Scholar 

  5. Bonfante G, Fernandez J, Marion J-Y, et al. Codisasm: medium scale concatic disassembly of self-modifying binaries with overlapping instructions. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2015. 745–756

    Google Scholar 

  6. Li Z T, Li W L, Lin F Y, et al. Hybrid malware detection approach with feedback-directed machine learning. Sci China Inf Sci, 2020, 63: 139103

    Article  Google Scholar 

  7. Wingfield T. Fileless Malware Execution With Powershell is Easier Than You May Realize. McAfee Technical Report, 2017. [2021-12-16]. https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf

  8. GOODIN D. A rash of invisible, fileless malware is infecting banks around the globe. ARS Technica, 2017. [2021-12-16]. https://arstechnica.com/information-technology/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/?comments=1&post=32786675

  9. Larry. The 2017 State of Endpoint Security Risk Report. Ponemon Institute Technical Report, 2017. [2021-12-16]. https://cdn2.hubspot.net/hubfs/468115/Campaigns/2017-Ponemon-Report/2017-ponemon-report-key-findings.pdf

  10. MITRE. Process hollowing. 2020. [2021-12-16]. https://attack.mitre.org/techniques/T1093/

  11. GREAT. The mystery of the encrypted Gauss payload. 2012. [2021-12-16]. https://securelist.com/the-mysteryof-the-encrypted-gauss-payload-5/33561/

  12. Ishimaru S. Why corrupted (?) samples in recent APT? 2016. [2021-12-16]. https://hitcon.org/2016/pacific/0composition/pdf/1201/1201

  13. Kirat D, Jang J, Stoecklin M P. DeepLocker — concealing targeted attacks with AI locksmithing. In: Proceedings of the Black Hat Conference, Las Vegas, 2018. 1–29

  14. MITRE. MITRE ATT&CK — Software. 2015. [2021-12-16]. https://attack.mitre.org/software/

  15. Strom B E, Applebaum A, Miller D P, et al. MITRE ATT&CK: Design and Philosophy. Technical Report. 2018

  16. Martin Lockheed. The cyber kill chain. 2011. [2021-12-16]. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

  17. Yadav T, Rao A M. Technical aspects of cyber kill chain. In: Proceedings of the 3rd International Symposium on Security in Computing and Communication. Cham: Springer, 2015. 438–452

    Google Scholar 

  18. NSA. NSA/CSS technical cyber threat framework V2. National Security Agency Cybersecurity Report, 2018. [2021-12-16]. https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF

  19. Moran N, Bennett J T. Supply Chain Analysis: From Quartermaster to Sunshop. FireEye Technical Report, 2013

  20. Peisert S, Schneier B, Okhravi H, et al. Perspectives on the SolarWinds Incident. IEEE Secur Privacy, 2021, 19: 7–13

    Article  Google Scholar 

  21. Oxford Analytica. Kaseya ransomware attack underlines supply chain risks. Emerald Expert Briefings, 2021. doi: https://doi.org/10.1108/oxan-es262642

  22. Engelberg J. Bash Uploader Security Update. Technical Report, 2021. [2021-12-16]. https://about.codecov.io/security-update/

  23. Antonakakis M, Perdisci R, Dagon D, et al. Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Security Symposium. Berkeley: USENIX Association, 2010. 273–290

    Google Scholar 

  24. Wang K, Stolfo S J. Anomalous payload-based network intrusion detection. In: Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Berlin: Springer, 2004. 203–222

    Google Scholar 

  25. Zauner C. Implementation and benchmarking of perceptual image hash functions. Computer Science, 2010. [2021-12-16]. https://www.phash.org/docs/pubs/thesis_zauner.pdf

  26. Özyurt F, Tuncer T, Avci E, et al. A novel liver image classification method using perceptual hash-based convolutional neural network. Arab J Sci Eng, 2019, 44: 3173–3182

    Article  Google Scholar 

  27. Google. Google images. [2021-12-16]. https://www.google.com/imghp?hl=en

  28. Liu Z, Luo P, Wang X, et al. Deep learning face attributes in the wild. In: Proceedings of the IEEE International Conference on Computer Vision. Washington: IEEE Computer Society, 2015. 3730–3738

    Google Scholar 

  29. Ng H-W, Winkler S. A data-driven approach to cleaning large face datasets. In: Proceedings of 2014 IEEE International Conference on Image Processing (ICIP). Washington: IEEE Computer Society, 2014. 343–347

    Google Scholar 

  30. Parkhi O M, Vedaldi A, Zisserman A. VGG face descriptor. Dataset, 2015. [2021-11-16]. https://www.robots.ox.ac.uk/∼vgg/software/vgg_face/

  31. Fanelli G, Dantone M, Gall J, et al. Random forests for real time 3D face analysis. Int J Comput Vis, 2013, 101: 437–458

    Article  Google Scholar 

  32. Wolf L, Hassner T, Maoz I. Face recognition in unconstrained videos with matched background similarity. In: Proceedings of the IEEE Computer Vision and Pattern Recognition (CVPR). Washington: IEEE Computer Society, 2011. 529–534

    Google Scholar 

  33. Kumar N, Berg A C, Belhumeur P N, et al. Attribute and simile classifiers for face verification. In: Proceedings of IEEE 12th International Conference on Computer Vision. Washington: IEEE Computer Society, 2009. 365–372

    Google Scholar 

  34. Huang G B, Mattar M, Berg T, et al. Labeled faces in the wild: a database for studying face recognition in unconstrained environments. In: Proceedings of International Workshop on Faces in Real-Life Images: Detection, Alignment, and Recognition, 2008. 1–17

  35. SophosLabs Research Team. Emotet exposed: looking inside highly destructive malware. Network Secur, 2019, 2019: 6–11

    Article  Google Scholar 

  36. Ramos E. Analysis: Ursnif-Spying on Your Data Since 2007. Technical Report, 2016. [2021-12-16]. https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007

  37. Holland A. Spot the difference: tracking malware campaigns using visually similar images. 2019. [2021-12-16]. https://threatresearch.ext.hp.com/spot-the-difference-trackingmalware-campaigns-using-visually-similar-images/

  38. Google. VirusTotal. 2007. [2021-12-16]. https://www.virustotal.com/

  39. ThreatBook. Threatbook cloud sandbox. 2015. [2021-12-16]. https://s.threatbook.cn/

  40. Shalev S. theZoo — a live malware repository. 2014. [2021-12-16]. https://github.com/ytisf/theZoo

  41. OPSWAT. Metadefender cloud. 2002. [2021-12-16]. https://metadefender.opswat.com/

  42. He Y, Inglut E, Luo C J. Malware incident response (IR) informed by cyber threat intelligence (CTI). Sci China Inf Sci, 2022, 65: 179105

    Article  Google Scholar 

  43. Pierazzi F, Pendlebury F, Cortellazzi J, et al. Intriguing properties of adversarial ML attacks in the problem space. In: Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). Los Alamitos: IEEE COMPUTER SOC, 2020. 1332–1349

    Google Scholar 

  44. Zhao K, Zhou H, Zhu Y-L, et al. Structural attack against graph based android malware detection. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2021. 3218–3235

    Google Scholar 

  45. Sharif M I, Lanzi A, Giffin J T, et al. Impeding malware analysis using conditional code obfuscation. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS). San Diego: The Internet Society, 2008. 1–13

    Google Scholar 

  46. Pavithran J, Patnaik M, Rebeiro C. D-TIME: distributed threadless independent malware execution for runtime obfuscation. In: Proceedings of the 13th USENIX Workshop on Offensive Technologies (WOOT 19). Berkeley: USENIX Association, 2019. 1–14

    Google Scholar 

  47. Xue L, Zhou H, Luo X-P, et al. Happer: unpacking Android apps via a hardware-assisted approach. In: Proceedings of 2021 IEEE Symposium on Security and Privacy (SP). Los Alamitos: IEEE Computer Soc, 2021. 1641–1658

    Google Scholar 

Download references

Acknowledgements

This work was supported by Key-Area Research and Development Program of Guangdong Province (Grant Nos. 2019B010136003, 2019B010137004) and National Key Research and Development Plan of China (Grant No. 2019YFA0706404).

Author information

Authors and Affiliations

  1. Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing University of Posts and Telecommunications, Beijing, 100876, China

    Tiantian Ji, Binxing Fang, Peng Liao & Shouyou Song

  2. Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou, 510006, China

    Xiang Cui

  3. Chinese Academy of Cyberspace Studies, Beijing, 100010, China

    Zhongru Wang

  4. Beijing DigApis Technology Co., Ltd., Beijing, 100081, China

    Shouyou Song

Authors
  1. Tiantian Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Binxing Fang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiang Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhongru Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peng Liao
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Shouyou Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiang Cui.

Additional information

Supporting information Appendixes A–C. The supporting information is available online at https://info.scichina.com and https://link.springer.com. The supporting materials are published as submitted, without typesetting or editing. The responsibility for scientific accuracy and content remains entirely with the authors.

Supplementary File

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ji, T., Fang, B., Cui, X. et al. Framework for understanding intention-unbreakable malware. Sci. China Inf. Sci. 66, 142104 (2023). https://doi.org/10.1007/s11432-021-3567-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11432-021-3567-y

Keywords

Search

Navigation