Abstract
Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware binary code, and manipulate the environment state as HoneyResource, we would then be able to deceive malware for defense purpose, e.g., immunize a computer from infections, or trick malware into believing something. Towards this end, this chapter introduces our preliminary systematic study and a prototype system, AutoVac, for automatically extracting the system resource constraints from malware code and generating HoneyResource (e.g., malware vaccines) based on the system resource conditions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
01 February 2020
This book was inadvertently published as an authored work with the chapter authors mentioned in the footnotes of the chapter opening pages. This has now been updated and the chapter authors have been mentioned in the respective chapter opening pages as mentioned below:
References
Anubis: Analyzing Unknown Binaries. https://seclab.cs.ucsb.edu/academic/projects/projects/anubis/.
DynamoRIO . http://dynamorio.org/.
malc0de. http://malc0de.com/database/.
Virustotal. https://www.virustotal.com/.
Zeus Trojan horse. http://en.wikipedia.org/wiki/Zeus_(Trojan_horse).
T. Avgerinos, E. Schwartz, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. of IEEE S&P 2010.
A.Zeller. Isolating cause-effect chains from computer programs. In Proc. of the 10th ACM SIGSOFT symposium on Foundations of Software Engineering, 2002.
U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of NDSS’09, 2009.
D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In Proceedings of Computer Aided Verification (CAV), July 2011.
J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. of ACM CCS’09, 2009.
Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of International Symposium on Software Testing and Analysis, 2012.
L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA 2008.
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of SOSP’05, pages 133–147, Brighton, United Kingdom, 2005.
M. Fredrikson, J. Somesh, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of the 2010 IEEE Symposium on Security and Privacy, 2010.
S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of ACM Symposium on Operating Systems Principles, October 2003.
C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.
C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proc. S&P’10, 2010.
J. Zico Kolter and Marcus A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721–2744, December 2006.
A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of the 17th ACM CCS, 2010.
Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, February 2010.
L. Martignoni, E. Stinsony, M. Fredrikson, S. Jhaz, and J. C.Mithchelly. A layered architecture for detecting malicious behaviors. In RAID 2008.
A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. S&P’07, 2007.
M.Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. NDSS’08, 2008.
N.Johnson, J.Caballero, Z.Chen, S.McCamant, P.Poosankam, D.Reynaud, and D.Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.
P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.
I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained Endpoint Profiling (Googling the Internet). In ACM SIGCOMM’08.
A. Wichmann and E. Gerhards-Padilla. Using infection markers as a vaccine against malware attacks. In Proc. of the 2nd workshop on Security of Systems and Software resiLiency, 2012.
J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.
H. Xin, C. Tzi-cker, and S. Kang G. Large-scale malware indexing using function-call graphs. In Proc CCS ’09, 2009.
Z. Xu, J. Zhang, G. Gu, and Z. Lin. Autovac: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In Proceedings of the 33rd International Conference on Distributed Computing Systems (ICDCS’13), Philadelphia, July 2013.
X.Wang, Z.Li, J.Xu, M.Reiter, C.Kil, and J.Choi. Packet vaccine: black-box exploit detection and signature generation. In Proc CCS’06, 2006.
Acknowledgements
An early version of this chapter appeared in ICDCS’13 [31] . This research is partially supported by NSF (Grant No. CNS-0954096), AFOSR (Grant No. FA9550- 13-1-0077), and DARPA (Grant No. 12011593). All opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of NSF, AFOSR, or DARPA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Xu, Z., Zhang, J., Lin, Z., Gu, G. (2019). Malware Deception with Automatic Analysis and Generation of HoneyResource. In: Al-Shaer, E., Wei, J., Hamlen, K., Wang, C. (eds) Autonomous Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-030-02110-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-02110-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02109-2
Online ISBN: 978-3-030-02110-8
eBook Packages: Computer ScienceComputer Science (R0)