Pop Peeper Error Try Again Later 1007

Abstract

In the search for research fields that can shed light on our issue of checking a piece of equipment for unwanted functionality, static malware detection stands out as the most obvious candidate. Malware detection is as old as malware itself and its main goal is to notice if maliciously behaving code has been introduced into an otherwise clean system past a third party. In this chapter, we consider techniques that are static, in the sense that they are based on investigating the lawmaking rather than a running organization. Nosotros will return to dynamic methods in a later on chapter.

In the search for enquiry fields that tin can shed light on our effect of checking a piece of equipment for unwanted functionality, static malware detection stands out as the near obvious candidate. Malware detection is as old every bit malware itself and its primary goal is to observe if maliciously behaving code has been introduced into an otherwise make clean system by a 3rd party. In this chapter, nosotros consider techniques that are static, in the sense that they are based on investigating the code rather than a running organisation. We will return to dynamic methods in a after chapter.

Our point of view is somewhat different from that of archetype malware detection, in that nosotros do not presume that we accept a make clean system to begin with. Our intention is to shed light on the implications of this difference to understand the extent to which the successes of static malware detection can transfer to our case.

Malware Classes

The most often cited definition of malware is software that fulfils the deliberately harmful intent of an attacker. This definition was presented by Moser et al. [eleven]. The term malware is usually understood to be an abridgement of the two words malicious software. As nosotros shall encounter in a later department, this definition is overly restrictive, since some types of malware threaten hardware development. A more than general definition and one more than relevant to our topic is, therefore, that malware is malicious lawmaking, regardless of whether this lawmaking defines hardware or if it is to be run as software. A reasonable definition of the term is therefore 'lawmaking that deliberately fulfils the harmful intent of an attacker'.

An abundance of taxonomies of malware are to exist found in the literature, but they generally agree on the most important terms. We do non intend to give a complete overview hither; rather, nosotros concentrate on the notions that are most relevant to our topic. A more consummate set of definitions can be found in [17]. Here, we proceed with the three notions that define different means that malware tin spread and reside on a machine.

Virus:

A reckoner virus shares the property of its biological counterpart that it cannot live on its own. Rather, information technology is a piece of code that inserts itself into an existing program and is executed whenever the host program is executed. Calculator viruses spread by inserting themselves into other executables. The initial infection of the system can be accomplished through a program that just needs to be run once. The infecting programme could, for example, reside on a retention stick.

Worm:

A worm is a complete programme in its own right and can execute independently of any other plan. Its primary stardom from a virus is that it does not need a host program. This also means that its strategies for spreading will be dissimilar, since information technology does non need to change existing executables to spread. It can spread through a network by exploiting vulnerabilities in operating systems.

Trojan:

While viruses and worms spread in stealth mode, a Trojan horse is malware embedded into a seemingly innocent application that is explicitly and knowingly downloaded and run by the user. This awarding can be a screensaver, a small widget that displays the local weather, or a file received as a seemingly harmless attachment in e-mail. Infections embedded in malicious webpages are also categorised as Trojans.

Although the above categorization gives the impression that an set on falls into exactly one of these categories, this is not mostly true. A sophisticated operation could take advantage of all iii strategies above.

Orthogonal to the infection methods above is a set of notions related to what the malware is trying to accomplish.

Spyware:

The task of spyware is to collect sensitive data from the system it resides on and transfer this data to the assaulter. The information tin be gathered by logging keystrokes on a keyboard, analysing the contents of documents on the organization, or analysing the organisation itself in training for future attacks.

Ransomware:

Every bit the proper noun suggests, this is malware that puts the attacker in a position to require a ransom from the owner of the system. The most frequent style to do this is by rendering the system useless through encrypting vital information and requiring compensation for making information technology available over again.

Bot:

A bot is a slice of software that gives the attacker—or botmaster—the ability to remotely control a system. Usually a botmaster has infected a large number of systems and has a set of machines—a botnet—nether his or her control. Botnets are typically used to perform attacks on other computers or to ship out spam emails.

Rootkit:

A rootkit is a set up of techniques are used to mask the presence of malware on a computer, usually through privileged access—root or administrator access—to the arrangement. Rootkits are peachy per se, but they are central parts of most sophisticated attacks. They are also typically hard to find and remove, since they tin subvert any anti-malware plan trying to detect information technology.

This list of actions that could be performed past malware covers the most frequent motivations for infecting a system. Still, nosotros emphasize that the list is not exhaustive. Other motivations not only are conceivable but also take inspired some of the most spectacular digital attacks known to date. The most widely known of these is Stuxnet, whose prime motivation was to crusade physical harm to centrifuges used in the enrichment of uranium in Islamic republic of iran [10]. Another instance is Flame [3], which tin can misuse the microphone and camera of an infected device to record audio and video from the room where the infected system is physically located.

Signatures and Static Lawmaking Assay

Checking for malicious intent in plan code is usually done through signatures. In its simplest and earliest course, a signature is a sequence of associates instructions that is known to perform a malicious deed. Two decades of arms race between makers and detectors of malware have led to the development of malware that is hard to find and avant-garde static signatures with circuitous structures. The utilization of such signatures is, in principle, quite straightforward: nosotros need a repository of known sequences of instructions sampled from all known malware. Checking lawmaking against this repository, a malware detection organization would be able to heighten the alarm when a matching sequence is found.

In that location are basically three challenges to finding malware this manner. First, the signature has to be generated and this is usually washed manually [8]. Second, earlier the signature can exist generated, the malware must take been analysed. This will not happen until its existence is known. There are examples of malware that were active for several years before they were establish [nineteen]. Finally, the repository of signatures is ever growing and new signatures have to be distributed continuously.

These challenges notwithstanding, the detection of malware through static signatures has historically been one of the virtually successful countermeasures against malware infections. The artillery race betwixt detectors and developers of malware is, nonetheless, withal ongoing and, in the upcoming sections, we give an overview of how the race has played out.

Encrypted and Oligomorphic Malware

The response of malware developers to signatures was quite predictable. The developers needed to make malware that had the same functionality as malware for which a signature existed but where the signature itself would not produce a match. This was important for them for two reasons. First, in writing new malware, it is important that it is not caught past existing signatures. Second, as one'south malware spreads and infects more and more machines, ane would like it to automatically develop into unlike strands. This way, whenever new signatures tin can fight some instances of your malware, at that place are others that are immune.

An early attempt at making a virus develop into different versions as it spread involved encrypting the role of the code that performed the malicious deportment. Using different encryption keys, the virus could morph into seemingly unrelated versions every other generation. For this to work, the virus had to consist of two parts, one part existence a decryptor that decrypts the active parts of the malware and the other the malicious lawmaking itself. Although this fabricated the static analysis of the actions of the malware somewhat harder, finding the malware by using signatures was not fabricated whatever more difficult. The decryption loop itself could non be encrypted and it turned out that finding a signature that matched a known decryption loop was no more than difficult than finding a signature for a non-evolving virus.

A 2nd approach was to embed several versions of the decryption loop into the encrypted function of the malware. For each new generation of the virus, an arbitrary decryption loop is chosen and then that 1 unmarried signature will not be able to detect all generations of the malware. Viruses that utilize this darkening strategy are chosen oligomorphic [15] and they present a somewhat greater challenge for virus analysers, which will have to develop signatures for each version of the decryption loop. Still, for virus detection software, just the analysis time is increased. Oligomorphic viruses are therefore currently considered tractable.

Obfuscation Techniques

From the bespeak of view of a malware developer, one would want to overcome oligomorphic viruses' weakness of using only a limited number of different decryption loops. The natural next pace in the evolution of viruses was to find means to make the code develop into an unlimited number of different versions.

In searching for means to do this, malware developers had strong allies. Parts of the software manufacture had for some time already been developing means to make code hard to contrary engineer, so that they could better protect their intellectual property. Rewriting code to have the same functionality but with a vastly different appearance was therefore researched in total openness. Some of the methods developed naturally plant their way into malware evolution. Many techniques could be mentioned [20], simply hither we only consider the most mutual ones.

The most obvious thing to do when a signature contains a sequence of instructions to be performed one after the other is to insert extra insignificant lawmaking. This obfuscation method is called expressionless code insertion and consists of arbitrarily introducing instructions that do not change the result of the program's execution. There are several means of doing this. One tin, for instance, insert instructions that practice null at all—and then-called nooperations—and these are present in the instruction sets of most processors. Another method is to insert ii or more operations that abolish each other out. An example of the latter is two instructions that push and pop the same variable on a stack. Some other obfuscation technique is to exchange the usage of variables or registers between instances of the aforementioned malware. The semantics of the malware would be the same, but a signature that detects one instance will non necessarily observe the other.

More advanced methods will make more profound changes to the code. A key observation is that, in many situations, multiple instructions will have the same effect. An example is when y'all want to initialize a register to zeros only: y'all could do so by explicitly assigning a value to it or by XOR-ing it with itself. In addition, i can likewise alter the malware past handful code around and maintaining the control flow through spring instructions.

The nigh advanced obfuscations techniques are the so-chosen virtualization obfuscators [xvi]. Malware using this technique programs malicious actions in a randomly chosen programming language. The malware contains an interpreter for this linguistic communication and thus performs the malicious acts through the interpreter.

In parallel with the development of obfuscation techniques, we have seen an abundance of suggestions for deobfuscators. These are tasked with transforming the obfuscated code into a representation that is recognizable to either humans or a malware detector equipped with a signature. For some of the obfuscation techniques above, deobfuscators are like shooting fish in a barrel to create and efficient to use. The successes of these techniques unfortunately diminish when obfuscators replace instructions with semantically identical instructions where the semantic identity is dependent on the bodily plan country or when the control menstruation of the programme is manipulated with provisional branches that are also dependent on the program state. This should, all the same, not come up equally a surprise. Nosotros learned in Chap. five that whether two programs are behaviourally identical is undecidable. Perfect deobfuscators are therefore impossible to blueprint.

The hardest challenge in deobfuscation is to excerpt the meaning of code that has been through virtualization obfuscation. The start step in doing this would have to be to opposite engineer the virtual car, to go agree of the programming linguistic communication that was used in the writing of the malicious code. The complexity of this task becomes articulate when we consider the post-obit two facts. First, the virtual machine may itself take been obfuscated through any or all of the mechanisms mentioned above. Second, many unlike programming paradigms have force of expression equal to that of a Turing auto. Logic programming, functional programming, and imperative programming are all considered in Sect. ix.three—only, in improver, we have algebraic programming [six] and Petri nets [xiii], to mention 2 of the more of import. All of these paradigms can be implemented in a programming language in many unlike ways. Analysing the virtual auto itself is a chore that tin can be made arbitrarily complex and the assay must be completed before i can first analysing the operational part of the malware. This is a clear indication that we have a long manner to go before the static assay of programming lawmaking can help the states against a malicious equipment vendor.

Polymorphic and Metamorphic Malware

Given the weakness of oligomorphic malware and the obfuscation techniques described above, the adjacent step in the development of avant-garde viruses should exist obvious. A polymorphic virus is an encrypted virus that uses obfuscation techniques to generate an unlimited number of versions of its decryption loop. A well-designed polymorphic virus can thus not be fought by finding signatures for the decryptor. These viruses are therefore fought through deep analysis of i version of the decryptor so that the decryption key can be extracted. Thereafter, the body of the virus is decrypted and matched with an ordinary signature. Although polymorphic viruses require a great deal of human effort in their analysis, their automatic detection need non be also computationally heavy once analysed.

Metamorphic viruses are the most challenging. They are not necessarily based on encryption and, instead, employ obfuscation techniques throughout the unabridged body of the virus. This means that each new copy of the virus may have a unlike code sequence, structure, and length and may use a different part of the instruction set. Since obfuscation techniques have to be executed automatically from one generation of the virus to the next, a metamorphic virus must carry out the following sequence of operations to mutate successfully:

1. one.

   Identify its own location in storage media.

2. 2.

   Disassemble itself to prepare for analysis of the code.

3. 3.

   Analyse its ain lawmaking, with little generic information passed along, since this information could be used in signature matching.

4. 4.

   Use obfuscation techniques to transform its ain code based on the assay above.

5. 5.

   Assemble the transformed code to create an executable for the new generation.

Efficient static methods for fighting metamorphic virus have nonetheless to be developed [fourteen]. The fact that no two versions of them demand share any syntactic similarities makes the chore difficult and it is made even harder past the fact that some of the viruses morph into different versions every fourth dimension they run, fifty-fifty on the same estimator.

Heuristic Approaches

Looking for malicious code through signatures has the obvious drawback that, for a signature to be, the malicious code has to be analysed in advance [2]. This too means that the malware has to be known in accelerate. In the problem we are studying, this is rarely the case. If the malware were already known, nosotros would know it had been inserted; thus, we would already know that the vendor in question was not to be trusted. We need to search for unknown lawmaking with malicious functionality and we therefore need to arroyo malware detection differently. Heuristic malware detection tries to do so by identifying features of the code where one can look there to exist differences in the occurrence of that feature, depending on whether the code is malicious or beneficial. The lawmaking in question is analysed for the features in question and a classification algorithm is used to classify the lawmaking as either malicious or beneficial.

The first classes of features that were considered were Due north-grams [one]. An North-gram is a code sequence of length N, where N is a given number. Although an Northward-gram, at first glance, looks exactly like a very simple signature, there are crucial differences. First, N is ofttimes a very low number, then the N-gram is very brusque in comparison with a signature. Second, unlike for signatures, we are not interested in the mere question of whether in that location is a match or non; rather, we are interested in how many matches there are. Heuristic methods based on N-grams extract a profile of how a ready of N-grams occurs in the code under investigation. This profile is classified as either benign or malicious by a classifier. The complexity of classifiers varies greatly, from simple counts of the occurrence of features to advanced motorcar learning techniques.

Other heuristic approaches use so-called opcodes instead of N-grams [4]. An opcode is the part of an assembly education that identifies the operation itself but without the office that identifies the data on which it operates. The techniques that can be used for classifiers are more than or less the same as those used for N-grams.

A terminal form of features worth mentioning is that based on control catamenia graphs [five]. A command flow graph in its simplest course is a directed graph whose nodes represent the statements of the programme and the edges the flow of program control. From this graph, several features can be extracted, such every bit nodes, edges, subgraphs, and simplified subgraphs with collapsed nodes.

Heuristic approaches have had some significant success. Even so, static versions of these have i major limitation when practical to our problem: since we tin can assume that a dishonest equipment vendor is well aware of the state of the fine art in heuristic assay, we tin likewise presume that the vendor has made an effort to develop lawmaking that will be wrongly classified. Given the flexibility of the code obfuscation techniques described higher up, this is unfortunately not very difficult to practice [12]. For this reason, nowadays research and commercial anti-malware products favour dynamic heuristics [seven]. We render to this topic in the next affiliate.

Malicious Hardware

The intense study of malicious software that has taken place over several decades has been mirrored in the hardware domain only to a limited extent. For a long fourth dimension, this situation was a reasonable reflection of the state of threats. The evolution and manufacture of hardware components were assumed to be completely controlled by one company and it was not suspected that any development team would deliberately insert unwanted functionality in the chips.

Both of these assumptions have now become irrelevant. Indeed, i topic of this book is exactly that of hardware vendors inserting unwanted functionality. Furthermore, the process of developing integrated circuits now involves many development teams from unlike companies. Putting together a reasonably avant-garde application-specific integrated circuit (ASIC) now largely consists of exactly that: putting together blocks of logic from unlike suppliers. These blocks tin can be unproblematic microprocessors, microcontrollers, digital signal processors, or network processors. Furthermore, every bit we saw in Chap. four, Trojans tin can be inserted through the design tools and in the fabrication as well [xviii].

Static analysis of ASICs is conducted in manufacture for a multifariousness of reasons. The state of the fine art in the field is discussed in Sect. 6.7 to the extent that it is relevant to our discussions. In addition to full static analysis of the scrap, several approaches require the execution of hardware functionality. For these methods, we refer the reader to Sect. 8.7.

Specification-Based Techniques

The most intuitively highly-seasoned approach to detecting malware inserted past an equipment vendor is to start with a specification of what the system should practice. Thereafter, one analyses whether the organization does but this or if it does something else in improver. This arroyo is very close to what specification-based malware detection takes. Specification-based malware detection comprises a learning phase, where a fix of rules defining valid behaviour is obtained. The code is then examined to assess if it does only what is specified.

The main limitation of specification-based techniques is that a complete and accurate specification of all valid behaviours of a system is extremely work intensive to develop, even for moderately complex systems [ix]. The amount of results in this area is therefore limited.

Give-and-take

The static detection of malware has had many success stories. In item, early on virus detection software was based virtually exclusively on static detection. As the artillery race between malware writers and malware detectors has progressed, we have unfortunately reached a situation in which static detection is no longer effective on its ain. Obfuscation techniques have significantly reduced the value of signatures and static heuristic approaches have not been able to close this gap.

The problem becomes even worse when we focus on quack equipment vendors rather than tertiary-party attackers. All static methods require a baseline of non-infected systems for comparing. The whole idea behind signature-based malware detection is that information technology detects a previously known and analysed piece of malware and this malware is non present in non-infected systems. If you want to check whether a vendor inserted malware into a system earlier yous purchase it, the malware will not exist known and analysed, and there will not be a not-infected organisation for comparison. This means that the analysis will have to encompass the entire system. Nosotros return to a discussion of the tractability of this task in Sect. 10.10. Heuristic methods will suffer from the same shortcoming: there is no malware-free baseline with which heuristic methods can railroad train their classifier.

Even after having painted this bleak picture, there is still hope in the further evolution of static approaches. We have argued that full deobfuscation is very hard and ofttimes an impossible task. Still, it is possible to detect the beingness of obfuscated lawmaking to some extent. One approach is therefore to hold with the vendor that the code used in your equipment volition never be obfuscated. The problem with this is that obfuscation is used for many benign purposes as well. In particular, it is used for the protection of intellectual belongings. The residuum between the benefits and drawbacks of obfuscation in the formation of trust betwixt customers and vendors of ICT equipment needs farther investigation before one tin can conclude whether banning obfuscation is a feasible style forward.

What appears to be the most promising way forward for static approaches is a combination of specification-based techniques and proof-carrying code, which we will elaborate upon further in Sect. 9.8. Specification-based techniques have not been subject to the same amount of attention equally the other techniques. Even so, for our problem, it has 1 large advantage over the other methods: it does not require the existence of a clean system and it does non require the malware to have been identified and analysed beforehand. Proof-conveying code has the drawback of beingness costly to produce. Still, efforts in this area so far have been to provide proof that the code is correct. Our purpose volition exist somewhat unlike, in that we desire to brand certain that the code does not contain unwanted security-related functionality. Although this is not likely to make all issues go away, the combination of controlling the utilise of obfuscation, applying specification-based techniques, and requiring proof-carrying code on critical components has the potential to reduce the degrees of freedom for a supposedly quack equipment vendor.

In recent years, malware detection has been based on a combination of static methods such as those discussed in this chapter and dynamic methods based on observing the actions of executing code. Such dynamic methods are discussed in the next affiliate.

References

1. Abou-Assaleh, T., Cercone, North., Kešelj, V., Sweidan, R.: N-gram-based detection of new malicious code. In: Proceedings of the 28th Almanac International Computer Software and Applications Briefing, 2004. COMPSAC 2004, vol. ii, pp. 41–42. IEEE (2004)

   Google Scholar

2. Bazrafshan, Z., Hashemi, H., Fard, S.M.H., Hamzeh, A.: A survey on heuristic malware detection techniques. In: 2013 fifth Conference on Information and Cognition Technology (IKT), pp. 113–120. IEEE (2013)

   Google Scholar

3. Bencsáth, B., Pék, One thousand., Buttyán, Fifty., Felegyhazi, M.: The cousins of stuxnet: Duqu, flame, and gauss. Fut. Internet 4(4), 971–1003 (2012)

   CrossRef  Google Scholar

4. Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digit. Forensics one(2), 156–168 (2007)

   CrossRef  Google Scholar

5. Bruschi, D., Martignoni, Fifty., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Detection of Intrusions and Malware & Vulnerability Assessment, pp. 129–143. Springer (2006)

   Google Scholar

6. Didrich, Thou., Fett, A., Gerke, C., Grieskamp, W., Pepper, P.: Opal: Design and implementation of an algebraic programming language. In: Programming Languages and Organization Architectures, pp. 228–244. Springer (1994)

   Google Scholar

7. Dube, T., Raines, R., Peterson, G., Bauer, K., Grimaila, Yard., Rogers, S.: Malware target recognition via static heuristics. Comput. Secur. 31(1), 137–147 (2012)

   CrossRef  Google Scholar

8. Egele, M., Scholte, T., Kirda, Due east., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), i–42 (2012)

   CrossRef  Google Scholar

9. Idika, N., Mathur, A.P.: A survey of malware detection techniques, vol. 48. Purdue University (2007)

   Google Scholar

10. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Privacy 9(3), 49–51 (2011)

    CrossRef  Google Scholar

11. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware assay. In: IEEE Symposium on Security and Privacy, 2007. SP'07, pp. 231–245. IEEE (2007)

    Google Scholar

12. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual on Computer Security Applications Conference, 2007. ACSAC 2007, pp. 421–430. IEEE (2007)

    Google Scholar

13. Murata, T.: Petri nets: properties, assay and applications. Proceedings of the IEEE 77(four), 541–580 (1989)

    CrossRef  Google Scholar

14. O'Kane, P., Sezer, S., McLaughlin, Thou.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9(v), 41–47 (2011)

    CrossRef  Google Scholar

15. Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in malware: from encryption to metamorphism. Int. J. Comput. Sci. Netw. Secur. 12(8), 74–83 (2012)

    Google Scholar

16. Rolles, R.: Unpacking virtualization obfuscators. In: third USENIX Workshop on Offensive Technologies.(WOOT) (2009)

    Google Scholar

17. Szor, P.: The Art of Computer Virus Research and Defense. Pearson Education (2005)

    Google Scholar

18. Tehranipoor, Yard., Koushanfar, F.: A Survey of Hardware Trojan Taxonomy and Detection (2010)

    Google Scholar

19. Virvilis, N., Gritzalis, D., Apostolopoulos, T.: Trusted computing vs. advanced persistent threats: Tin a defender win this game? In: 2013 IEEE tenth International Conference on and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC) Ubiquitous Intelligence and Computing, pp. 396–403. IEEE (2013)

    Google Scholar

20. Yous, I., Yim, M.: Malware obfuscation techniques: a brief survey. In: 2010 International Briefing on Broadband, Wireless Computing, Communication and Applications, pp. 297–300. IEEE (2010)

    Google Scholar

Download references

Author data

Affiliations

1. Simula Enquiry Laboratory, Fornebu, Norway

   Olav Lysne

Corresponding author

Correspondence to Olav Lysne .

Rights and permissions

This chapter is published nether an open access license. Please check the 'Copyright Data' section either on this page or in the PDF for details of this license and what re-use is permitted. If your intended utilize exceeds what is permitted by the license or if you are unable to locate the licence and re-use information, delight contact the Rights and Permissions squad.

Copyright information

© 2018 The Writer(due south)

About this chapter

Cite this chapter

Lysne, O. (2018). Static Detection of Malware. In: The Huawei and Snowden Questions. Simula SpringerBriefs on Computing, vol four. Springer, Cham. https://doi.org/10.1007/978-3-319-74950-1_7

Download citation

• .RIS
• .ENW
• .BIB

• DOI : https://doi.org/10.1007/978-3-319-74950-1_7

• Published: 20 February 2018

• Publisher Name: Springer, Cham

• Print ISBN: 978-3-319-74949-5

• Online ISBN: 978-3-319-74950-1

• eBook Packages: Information science Computer Science (R0)

perkinswhered.blogspot.com

Source: https://link.springer.com/chapter/10.1007/978-3-319-74950-1_7

Share this post