Advertisement

“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks

  • Marcus BotacinEmail author
  • Paulo Lício de Geus
  • André Grégio
Original Paper

Abstract

Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses, or AVs) and malware analysis solutions that are unable to correlate data from multiple sources. In this paper, we propose a technique for distributing the malware functions in several distinct “vanilla” processes to show that AVs can be easily evaded. Therefore, our technique allows malware to interleave of layers of attacks to remain undetected by current AVs. Our goal is to expose a real menace and to discuss it so as to provide insights for the development of better AVs. We discuss the role of distributed and multicore-based malware in current and future threat scenarios with practical examples that we specially crafted for testing (e.g., a distributed sample synchronized via cache side channels). We (i) review multi-threaded/processed implementation issues (from kernel and userland) and present a multi-core-based monitoring solution; (ii) present strategies for code distribution, exemplified via DLL injectors, and discuss their weak and strong points; and (iii) evaluate how real security solutions perform when exposed to distributed malware. We converted real, serial malware to parallel code and showed that current AVs are not fully able to detect multi-core malware.

Keywords

Malware Multi-core DLL injection Cache side-channel 

Notes

Acknowledgements

This work was supported by the Brazilian National Counsel of Technological and Scientific Development (CNPq, PhD Scholarship, process 164745/2017-3) and the Coordination for the Improvement of Higher Education Personnel (CAPES, Project FORTE, Forensics Sciences Program 24/2014, process 23038.007604/2014-69).

References

  1. 1.
    Affairs, S.: Researchers spotted a new espionage campaign relying on a number of rats including the powerful trochilus threat. https://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html (2016)
  2. 2.
    AV-Test: the best antivirus software for windows home user. https://www.av-test.org/en/antivirus/home-windows (2018)
  3. 3.
    Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: Avleak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX. https://www.usenix.org/conference/woot16/workshop-program/presentation/blackthorne (2016)
  4. 4.
    Botacin, M., Geus, P.L.D., Grégio, A.: Enhancing branch monitoring for security purposes: from control flow integrity to malware analysis and debugging. ACM Trans. Priv. Secur. 21(1), 4:1–4:30 (2018).  https://doi.org/10.1145/3152162 CrossRefGoogle Scholar
  5. 5.
    Botacin, M.F., de Geus, P.L., Grégio, A.R.A.: The other guys: automated analysis of marginalized malware. J. Comput. Virol. Hacking Tech. 14(1), 87–98 (2018).  https://doi.org/10.1007/s11416-017-0292-8 CrossRefGoogle Scholar
  6. 6.
    Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment—Volume 9721, DIMVA 2016, pp. 207–227. Springer-Verlag New York, Inc., New York (2016).  https://doi.org/10.1007/978-3-319-40667-1_11
  7. 7.
    Dirtycow: Dirty cow (cve-2016-5195). https://dirtycow.ninja/ (2016). Access Date: 2017
  8. 8.
    Gepner, P., Kowalik, M.F.: Multi-core processors: new way to achieve high system performance. In: International Symposium on Parallel Computing in Electrical Engineering (PARELEC’06), pp. 9–13 (2006).  https://doi.org/10.1109/PARELEC.2006.54
  9. 9.
    Graziano, M.: Make DKOM attacks great again. http://www.mgraziano.info/docs/graziano_hackinbo16.pdf (2016)
  10. 10.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)Google Scholar
  11. 11.
    Hybrid-analysis: Falcon sandbox. www.hybrid-analysis.com (2018)
  12. 12.
    ISecLab: Anubis. anubis.iseclab.org (2016)Google Scholar
  13. 13.
    Ispoglou, K.K., Payer, M.: malwash: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16). USENIX Association, Austin, TX (2016). https://www.usenix.org/conference/woot16/workshop-program/presentation/ispoglou
  14. 14.
    Kaspersky: Overall statistics for 2015. https://securelist.com/files/2015/12/KSB_2015_Statistics_FINAL_EN.pdf (2015). Access 11 May 2016
  15. 15.
    Kindratenko, V.V., Enos, J.J., Shi, G., Showerman, M.T., Arnold, G.W., Stone, J.E., Phillips, J.C., Hwu, W.M.: GPU clusters for high-performance computing. In: 2009 IEEE International Conference on Cluster Computing and Workshops, pp. 1–8 (2009).  https://doi.org/10.1109/CLUSTR.2009.5289128
  16. 16.
    Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 285–296. ACM, New York (2011).  https://doi.org/10.1145/2046707.2046740
  17. 17.
    Koufaty, D., Marr, D.T.: Hyperthreading technology in the netburst microarchitecture. IEEE Micro 23(2), 56–65 (2003).  https://doi.org/10.1109/MM.2003.1196115 CrossRefGoogle Scholar
  18. 18.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York (2005).  https://doi.org/10.1145/1065010.1065034
  19. 19.
    m0n0ph1: malware=1. https://github.com/m0n0ph1/malware-1 (2018)
  20. 20.
    Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.C.: Shadow attacks: automatically evading system-call-behavior based malware detection. J. Comput. Virol. 8(1–2), 1–13 (2012).  https://doi.org/10.1007/s11416-011-0157-5 CrossRefGoogle Scholar
  21. 21.
    malshare: malware database. http://malshare.com/ (2018)
  22. 22.
    malwr.com: Cuckoo-powered malware analysis sandbox. malwr.com (2016)Google Scholar
  23. 23.
  24. 24.
    Mattos, L.F., Divino, C., Salamanca, J., Carvalho, J.P., Pereira, M.M., Araujo, G.: Doacross parallelization based on component annotation and loop-carried probability. In: Proceedings of the 2018 SBAC-PAD, SBAC-PAD ’18 (2018)Google Scholar
  25. 25.
  26. 26.
  27. 27.
  28. 28.
  29. 29.
    Microsoft: Getlogicalprocessorinformation function. https://msdn.microsoft.com/en-us/library/ms683194(v=VS.85).aspx
  30. 30.
  31. 31.
  32. 32.
  33. 33.
  34. 34.
  35. 35.
  36. 36.
  37. 37.
    Microsoft: Winmain is just the conventional name for the win32 process entry point. https://devblogs.microsoft.com/oldnewthing/20110525-00/?p=10573 (2011)
  38. 38.
    Microsoft: Getcurrentprocessornumber function. https://msdn.microsoft.com/en-us/library/windows/desktop/ms683181(v=vs.85).aspx (2016). Access Date: 2017
  39. 39.
  40. 40.
  41. 41.
    Netmarketshare: operating system market share. https://www.netmarketshare.com/operating-system-market-share.aspx (2018)
  42. 42.
    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: Iotpot: analysing the rise of IoT compromises. In: Proceedings of the 9th USENIX Conference on Offensive Technologies, WOOT’15, pp. 9–9. USENIX Association, Berkeley (2015). http://dl.acm.org/citation.cfm?id=2831211.2831220
  43. 43.
    Prince, B.: Script fragmentation attack could allow hackers to dodge anti-virus detection. http://www.eweek.com/security/script-fragmentation-attack-could-allow-hackers-to-dodge-anti-virus-detection (2018)
  44. 44.
    rohitab.com: Api monitor. http://www.rohitab.com/apimonitor
  45. 45.
    Russinovich, M., Solomon, D.A.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press, Redmond (2009)Google Scholar
  46. 46.
    Sanford, M.: Computer viruses and malware by john aycock. SIGACT News 41(1), 44–47 (2010).  https://doi.org/10.1145/1753171.1753184 CrossRefGoogle Scholar
  47. 47.
    Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: Avclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 230–253. Springer, Cham (2016)CrossRefGoogle Scholar
  48. 48.
    SecureList: the inevitable move—64-bit zeus enhanced with tor. https://securelist.com/the-inevitable-move-64-bit-zeus-enhanced-with-tor/58184/ (2013)
  49. 49.
    Security, P.: Alina, the latest pos malware. https://www.pandasecurity.com/mediacenter/pandalabs/alina-pos-malware/ (2017)
  50. 50.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of Twenty-First ACM SIGOPS Symposium on Operating Systems Principles, SOSP ’07, pp. 335–350. ACM, New York (2007).  https://doi.org/10.1145/1294261.1294294
  51. 51.
  52. 52.
    VirusTotal: Virustotal. https://www.virustotal.com (2018)
  53. 53.
    Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732. USENIX Association, San Diego. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom (2014)

Copyright information

© Springer-Verlag France SAS, part of Springer Nature 2019

Authors and Affiliations

  • Marcus Botacin
    • 1
    Email author
  • Paulo Lício de Geus
    • 2
  • André Grégio
    • 1
  1. 1.Federal University of ParanáCuritiba-PRBrazil
  2. 2.University of CampinasCampinas-SPBrazil

Personalised recommendations