1,370 research outputs found
Recommended from our members
Employing Program Semantics for Malware Detection
In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous antiâdetection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behaviorâbased malware detection approaches outperform the traditional signatureâbased approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on systemâcalls to model the infection and propagation dynamics of malware. However, these approaches do not account an important antiâdetection feature of modern malware, i.e., systemâcall injection attack. This attack allows the malicious binaries to inject irrelevant and independent systemâcalls during the program execution thus modifying the execution sequences defeating the existing systemâcall based detection. To address this problem, we propose an evasionâproof solution that is not vulnerable to systemâcall injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the informationârich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to callâinjection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware authorâs aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing system-call based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances
PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware
PowerShell is nowadays a widely-used technology to administrate and manage
Windows-based operating systems. However, it is also extensively used by
malware vectors to execute payloads or drop additional malicious contents.
Similarly to other scripting languages used by malware, PowerShell attacks are
challenging to analyze due to the extensive use of multiple obfuscation layers,
which make the real malicious code hard to be unveiled. To the best of our
knowledge, a comprehensive solution for properly de-obfuscating such attacks is
currently missing. In this paper, we present PowerDrive, an open-source, static
and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive
instruments the PowerShell code to progressively de-obfuscate it by showing the
analyst the employed obfuscation steps. We used PowerDrive to successfully
analyze thousands of PowerShell attacks extracted from various malware vectors
and executables. The attained results show interesting patterns used by
attackers to devise their malicious scripts. Moreover, we provide a taxonomy of
behavioral models adopted by the analyzed codes and a comprehensive list of the
malicious domains contacted during the analysis
Partial Evaluation of String Obfuscations for Java Malware Detection
The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Javaexploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include stringobfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is an intermediate language for JVM bytecode designed for optimisation and program analysis, and demonstrates how partially evaluated Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products
- âŚ