Exploiting an Antivirus Interface

onytodor

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

18 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Exploiting an Antivirus Interface

Sujets

Arts

Informations

Publié par	onytodor
Nombre de lectures	59
Langue	English

Extrait

Exploiting an Antivirus Interface

a,∗a a Kevin W. Hamlen , Vishwath Mohan , Mohammad M. Masud , a a Latifur Khan , Bhavani Thuraisingham

a Computer Science Department, University of Texas at Dallas, 800 W. Campbell Rd., Richardson, Texas 75080, USA

Abstract We propose a technique for defeating signaturebased malware detectors by ex ploiting information disclosed by antivirus interfaces. This information is lever aged to reverse engineer relevant details of the detector’s underlying signature database, revealing binary obfuscations that suﬃce to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justiﬁes the eﬀectiveness of our approach. Key words:Security, Signaturebased malware detection, Data mining, Binary obfuscation

1. Introduction

Traditionalsignaturebasedmalware detectors identify malware by scanning untrusted binaries for distinguishing byte sequences orfeaturesunique. Features to malware are maintained in asignature database, which must be continually updated as new malware is discovered and analyzed. Signaturebased malware detection generally enforces a static approximation of some desired dynamic (i.e., behavioral) security policy. For example, access control policies, such as those that prohibit code injections into operating system executables, are statically undecidable and can therefore only be approximated by any purely static decision procedure such as signaturematching. A signature based malwaredetector approximates these policies by identifying syntactic fea tures that tend to appear only in binaries that exhibit policyviolating behavior when executed. This approximation is both unsound and incomplete in that it is susceptible to both false positive and false negative classiﬁcations of some binaries. For this reason signature databases are typically kept conﬁdential, since they contain information that an attacker could use to craft malware that

∗ Corresponding author Email addresses:hamlen@utdallas.edu(Kevin W. Hamlen), vishwath.mohan@utdallas.edu(Vishwath Mohan),mehedy@utdallas.edu (Mohammad M. Masud),lkhan@utdallas.edu(Latifur Khan), bhavani.thuraisingham@utdallas.edu(Bhavani Thuraisingham)

Preprint submitted to Elsevier

April 21, 2009