{"title":"武装:如何自动修改恶意软件可以逃避静态检测?","authors":"Raphael Labaca Castro, C. Schmitt, G. Rodosek","doi":"10.1109/INFOMAN.2019.8714698","DOIUrl":null,"url":null,"abstract":"Modifying existing malicious software until malware scanners misclassify it as clean is an attractive technique for cybercriminals. In particular, fully automatizing the process can bring adversaries to generate faster effective threats. Recent studies suggest that injecting successful malware modifications could lead to corrupt executable files despite of detection. Therefore, we propose ARMED - Automatic Random Malware Modifications to Evade Detection - to bypass classifiers by automatizing valid malware generation based on detected threats. The goal is to understand how successful automatic perturbations can be used to avoid detection. In order to reach this goal, we take portable executable malware and add a number of small random injections to evade detection without affecting the malware structure. Our experiments proved that only six perturbations are required to create new functional malware samples exhibiting exactly the same behavior yet with up to 80% less detections based on original malware that was previously detected. We show that within a few minutes an adversary could take a previously detected malware and convert it in a clean new mutation bypassing static malware scanners.","PeriodicalId":186072,"journal":{"name":"2019 5th International Conference on Information Management (ICIM)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"29","resultStr":"{\"title\":\"ARMED: How Automatic Malware Modifications Can Evade Static Detection?\",\"authors\":\"Raphael Labaca Castro, C. Schmitt, G. Rodosek\",\"doi\":\"10.1109/INFOMAN.2019.8714698\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Modifying existing malicious software until malware scanners misclassify it as clean is an attractive technique for cybercriminals. In particular, fully automatizing the process can bring adversaries to generate faster effective threats. Recent studies suggest that injecting successful malware modifications could lead to corrupt executable files despite of detection. Therefore, we propose ARMED - Automatic Random Malware Modifications to Evade Detection - to bypass classifiers by automatizing valid malware generation based on detected threats. The goal is to understand how successful automatic perturbations can be used to avoid detection. In order to reach this goal, we take portable executable malware and add a number of small random injections to evade detection without affecting the malware structure. Our experiments proved that only six perturbations are required to create new functional malware samples exhibiting exactly the same behavior yet with up to 80% less detections based on original malware that was previously detected. We show that within a few minutes an adversary could take a previously detected malware and convert it in a clean new mutation bypassing static malware scanners.\",\"PeriodicalId\":186072,\"journal\":{\"name\":\"2019 5th International Conference on Information Management (ICIM)\",\"volume\":\"30 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"29\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 5th International Conference on Information Management (ICIM)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/INFOMAN.2019.8714698\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 5th International Conference on Information Management (ICIM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFOMAN.2019.8714698","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
ARMED: How Automatic Malware Modifications Can Evade Static Detection?
Modifying existing malicious software until malware scanners misclassify it as clean is an attractive technique for cybercriminals. In particular, fully automatizing the process can bring adversaries to generate faster effective threats. Recent studies suggest that injecting successful malware modifications could lead to corrupt executable files despite of detection. Therefore, we propose ARMED - Automatic Random Malware Modifications to Evade Detection - to bypass classifiers by automatizing valid malware generation based on detected threats. The goal is to understand how successful automatic perturbations can be used to avoid detection. In order to reach this goal, we take portable executable malware and add a number of small random injections to evade detection without affecting the malware structure. Our experiments proved that only six perturbations are required to create new functional malware samples exhibiting exactly the same behavior yet with up to 80% less detections based on original malware that was previously detected. We show that within a few minutes an adversary could take a previously detected malware and convert it in a clean new mutation bypassing static malware scanners.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
