Resilience of anti-malware programs to naïve modifications of malicious binaries

Mordechai Guri, Gabi Kedma, Assaf Kachlon, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect simple variants. In this paper we discuss 'naïve' variants which can be produced by a modestly skilled individual with publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will. Modification can be automated, to produce large amounts of variants in short time. We describe several naïve modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the context of malware detection.

Original languageEnglish
Title of host publicationProceedings - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages152-159
Number of pages8
ISBN (Electronic)9781479963645
DOIs
StatePublished - 4 Dec 2014
Event2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014 - The Hague, Netherlands
Duration: 24 Sep 201426 Sep 2014

Publication series

NameProceedings - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014

Conference

Conference2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014
Country/TerritoryNetherlands
CityThe Hague
Period24/09/1426/09/14

Keywords

  • crafty malware
  • false positive
  • malware analysis
  • malware detection
  • malware variants

Fingerprint

Dive into the research topics of 'Resilience of anti-malware programs to naïve modifications of malicious binaries'. Together they form a unique fingerprint.

Cite this