Abstract
The anti-analysis technology of malware has always been the focus in the cyberspace security field. As malware analysis techniques evolve, malware writers continually employ sophisticated anti-reverse engineering techniques to defeat and evade state-of-the-art analyzers. Therefore, to prepare for unknown attacks, studying malware analysis techniques is insufficient. More importantly, we should study new anti-analysis techniques for malware. This paper expands the concept of anti-analysis malware and defines a type of intention-unbreakable malware (IUM). To help defenders fully understand and establish a defense system against the new security threats, this paper systematically discusses IUM from the perspectives of threat discovery, threat modeling, attribute analysis, and threat assessment; in addition, this study also provides the PoC implementations of IUM and demonstrates how attackers can use this type of malware to evade advanced security analysis, that is, accurate identification of target (class) victims and intention concealment in reaching non-target (class) victims. Finally, this paper provides several mitigation directions for combating IUM.
Similar content being viewed by others
References
Botacin M, da Rocha V F, de Geus P L, et al. Analysis, anti-analysis, anti-anti-analysis: an overview of the evasive malware scenario. Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, 2017, 17: 250–263
Wang Q, Hassan W U, Li D, et al. You are what you do: hunting stealthy malware via data provenance analysis. In: Proceedings of the 27th Annual Network and Distributed System Security Symposium (NDSS). San Diego: The Internet Society, 2020. 1–17
Wagner D, Soto P. Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2002. 255–264
Fogla P, Sharif M I, Perdisci R, et al. Polymorphic blending attacks. In: Proceedings of the 15th USENIX Security Symposium. Berkeley: USENIX Association, 2006. 241–256
Bonfante G, Fernandez J, Marion J-Y, et al. Codisasm: medium scale concatic disassembly of self-modifying binaries with overlapping instructions. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2015. 745–756
Li Z T, Li W L, Lin F Y, et al. Hybrid malware detection approach with feedback-directed machine learning. Sci China Inf Sci, 2020, 63: 139103
Wingfield T. Fileless Malware Execution With Powershell is Easier Than You May Realize. McAfee Technical Report, 2017. [2021-12-16]. https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf
GOODIN D. A rash of invisible, fileless malware is infecting banks around the globe. ARS Technica, 2017. [2021-12-16]. https://arstechnica.com/information-technology/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/?comments=1&post=32786675
Larry. The 2017 State of Endpoint Security Risk Report. Ponemon Institute Technical Report, 2017. [2021-12-16]. https://cdn2.hubspot.net/hubfs/468115/Campaigns/2017-Ponemon-Report/2017-ponemon-report-key-findings.pdf
MITRE. Process hollowing. 2020. [2021-12-16]. https://attack.mitre.org/techniques/T1093/
GREAT. The mystery of the encrypted Gauss payload. 2012. [2021-12-16]. https://securelist.com/the-mysteryof-the-encrypted-gauss-payload-5/33561/
Ishimaru S. Why corrupted (?) samples in recent APT? 2016. [2021-12-16]. https://hitcon.org/2016/pacific/0composition/pdf/1201/1201
Kirat D, Jang J, Stoecklin M P. DeepLocker — concealing targeted attacks with AI locksmithing. In: Proceedings of the Black Hat Conference, Las Vegas, 2018. 1–29
MITRE. MITRE ATT&CK — Software. 2015. [2021-12-16]. https://attack.mitre.org/software/
Strom B E, Applebaum A, Miller D P, et al. MITRE ATT&CK: Design and Philosophy. Technical Report. 2018
Martin Lockheed. The cyber kill chain. 2011. [2021-12-16]. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Yadav T, Rao A M. Technical aspects of cyber kill chain. In: Proceedings of the 3rd International Symposium on Security in Computing and Communication. Cham: Springer, 2015. 438–452
NSA. NSA/CSS technical cyber threat framework V2. National Security Agency Cybersecurity Report, 2018. [2021-12-16]. https://media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF
Moran N, Bennett J T. Supply Chain Analysis: From Quartermaster to Sunshop. FireEye Technical Report, 2013
Peisert S, Schneier B, Okhravi H, et al. Perspectives on the SolarWinds Incident. IEEE Secur Privacy, 2021, 19: 7–13
Oxford Analytica. Kaseya ransomware attack underlines supply chain risks. Emerald Expert Briefings, 2021. doi: https://doi.org/10.1108/oxan-es262642
Engelberg J. Bash Uploader Security Update. Technical Report, 2021. [2021-12-16]. https://about.codecov.io/security-update/
Antonakakis M, Perdisci R, Dagon D, et al. Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Security Symposium. Berkeley: USENIX Association, 2010. 273–290
Wang K, Stolfo S J. Anomalous payload-based network intrusion detection. In: Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Berlin: Springer, 2004. 203–222
Zauner C. Implementation and benchmarking of perceptual image hash functions. Computer Science, 2010. [2021-12-16]. https://www.phash.org/docs/pubs/thesis_zauner.pdf
Özyurt F, Tuncer T, Avci E, et al. A novel liver image classification method using perceptual hash-based convolutional neural network. Arab J Sci Eng, 2019, 44: 3173–3182
Google. Google images. [2021-12-16]. https://www.google.com/imghp?hl=en
Liu Z, Luo P, Wang X, et al. Deep learning face attributes in the wild. In: Proceedings of the IEEE International Conference on Computer Vision. Washington: IEEE Computer Society, 2015. 3730–3738
Ng H-W, Winkler S. A data-driven approach to cleaning large face datasets. In: Proceedings of 2014 IEEE International Conference on Image Processing (ICIP). Washington: IEEE Computer Society, 2014. 343–347
Parkhi O M, Vedaldi A, Zisserman A. VGG face descriptor. Dataset, 2015. [2021-11-16]. https://www.robots.ox.ac.uk/∼vgg/software/vgg_face/
Fanelli G, Dantone M, Gall J, et al. Random forests for real time 3D face analysis. Int J Comput Vis, 2013, 101: 437–458
Wolf L, Hassner T, Maoz I. Face recognition in unconstrained videos with matched background similarity. In: Proceedings of the IEEE Computer Vision and Pattern Recognition (CVPR). Washington: IEEE Computer Society, 2011. 529–534
Kumar N, Berg A C, Belhumeur P N, et al. Attribute and simile classifiers for face verification. In: Proceedings of IEEE 12th International Conference on Computer Vision. Washington: IEEE Computer Society, 2009. 365–372
Huang G B, Mattar M, Berg T, et al. Labeled faces in the wild: a database for studying face recognition in unconstrained environments. In: Proceedings of International Workshop on Faces in Real-Life Images: Detection, Alignment, and Recognition, 2008. 1–17
SophosLabs Research Team. Emotet exposed: looking inside highly destructive malware. Network Secur, 2019, 2019: 6–11
Ramos E. Analysis: Ursnif-Spying on Your Data Since 2007. Technical Report, 2016. [2021-12-16]. https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007
Holland A. Spot the difference: tracking malware campaigns using visually similar images. 2019. [2021-12-16]. https://threatresearch.ext.hp.com/spot-the-difference-trackingmalware-campaigns-using-visually-similar-images/
Google. VirusTotal. 2007. [2021-12-16]. https://www.virustotal.com/
ThreatBook. Threatbook cloud sandbox. 2015. [2021-12-16]. https://s.threatbook.cn/
Shalev S. theZoo — a live malware repository. 2014. [2021-12-16]. https://github.com/ytisf/theZoo
OPSWAT. Metadefender cloud. 2002. [2021-12-16]. https://metadefender.opswat.com/
He Y, Inglut E, Luo C J. Malware incident response (IR) informed by cyber threat intelligence (CTI). Sci China Inf Sci, 2022, 65: 179105
Pierazzi F, Pendlebury F, Cortellazzi J, et al. Intriguing properties of adversarial ML attacks in the problem space. In: Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). Los Alamitos: IEEE COMPUTER SOC, 2020. 1332–1349
Zhao K, Zhou H, Zhu Y-L, et al. Structural attack against graph based android malware detection. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery, 2021. 3218–3235
Sharif M I, Lanzi A, Giffin J T, et al. Impeding malware analysis using conditional code obfuscation. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS). San Diego: The Internet Society, 2008. 1–13
Pavithran J, Patnaik M, Rebeiro C. D-TIME: distributed threadless independent malware execution for runtime obfuscation. In: Proceedings of the 13th USENIX Workshop on Offensive Technologies (WOOT 19). Berkeley: USENIX Association, 2019. 1–14
Xue L, Zhou H, Luo X-P, et al. Happer: unpacking Android apps via a hardware-assisted approach. In: Proceedings of 2021 IEEE Symposium on Security and Privacy (SP). Los Alamitos: IEEE Computer Soc, 2021. 1641–1658
Acknowledgements
This work was supported by Key-Area Research and Development Program of Guangdong Province (Grant Nos. 2019B010136003, 2019B010137004) and National Key Research and Development Plan of China (Grant No. 2019YFA0706404).
Author information
Authors and Affiliations
Corresponding author
Additional information
Supporting information Appendixes A–C. The supporting information is available online at https://info.scichina.com and https://link.springer.com. The supporting materials are published as submitted, without typesetting or editing. The responsibility for scientific accuracy and content remains entirely with the authors.
Supplementary File
Rights and permissions
About this article
Cite this article
Ji, T., Fang, B., Cui, X. et al. Framework for understanding intention-unbreakable malware. Sci. China Inf. Sci. 66, 142104 (2023). https://doi.org/10.1007/s11432-021-3567-y
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-021-3567-y