From Malware Signatures to Anti-Virus Assisted Attacks

Although anti-virus software has significantly evolved over the last decade, classic signature matching based on byte patterns is still a prevalent concept for identifying security threats. Anti-virus signatures are a simple and fast detection mechanism that can complement more sophisticated analysis strategies. However, if signatures are not designed with care, they can turn from a defensive mechanism into an instrument of attack. In this paper, we present a novel method for automatically deriving signatures from anti-virus software and demonstrate how the extracted signatures can be used to attack sensible data with the aid of the virus scanner itself. We study the practicability of our approach using four commercial products and exemplarily discuss a novel attack vector made possible by insufficiently designed signatures. Our research indicates that there is an urgent need to improve pattern-based signatures if used in anti-virus software and to pursue alternative detection approaches in such products.

[1]  Jim Euchner Design , 2014, Catalysis from A to Z.

[2]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  Christopher Krügel,et al.  Improving Signature Testing through Dynamic Data Flow Analysis , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[5]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[6]  Maxime Crochemore,et al.  Algorithms on strings , 2007 .

[7]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[8]  Dan Gusfield,et al.  Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology , 1997 .

[9]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[10]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[11]  Vijay Varadharajan,et al.  Design, implementation and evaluation of a novel anti-virus parasitic malware , 2015, SAC.

[12]  Somesh Jha,et al.  Language-based generation and evaluation of NIDS signatures , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[14]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[15]  S. B. Needleman,et al.  A general method applicable to the search for similarities in the amino acid sequence of two proteins. , 1970, Journal of molecular biology.

[16]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[17]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[18]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[19]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[20]  Christus,et al.  A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins , 2022 .

[21]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Feng Xue Attacking Antivirus , 2008 .

[23]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[24]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[25]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[26]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[27]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[28]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[29]  Giovanni Vigna,et al.  Reverse Engineering of Network Signatures , 2005 .

[30]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[31]  Kevin W. Hamlen,et al.  Frankenstein: Stitching Malware from Benign Binaries , 2012, WOOT.

[32]  John Aycock,et al.  Computer Viruses and Malware , 2006, Advances in Information Security.

[33]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[34]  Somesh Jha,et al.  Automatic generation and analysis of NIDS attacks , 2004, 20th Annual Computer Security Applications Conference.