Feature-Distributed Malware Attack: Risk and Defence

  • Byungho Min
  • Vijay Varadharajan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8713)


Modern computing platforms have progressed to more secure environments with various defensive techniques such as application-based permission and application whitelisting. In addition, anti-virus solutions are improving their detection techniques, especially based on behavioural properties. To overcome these hurdles, the adversary has been developing malware techniques including the use of legitimate digital certificates; hence it is important to explore possible offensive techniques in a security-improved environment.

In this paper, first we propose the new technique of feature-distributed malware that dynamically distributes its features to multiple software components in order to bypass various security mechanisms such as application whitelisting and anti-virus’ behavioural detection. To evaluate our approach, we have implemented a tool that automatically generates such malware instances, and have performed a series of experiments showing the risks of such advanced malware. We also suggest an effective defence mechanism. It prevents loading of malicious components by utilising digital certificates of software components. We have implemented a Windows service that provides our defence mechanism, and evaluated it against the proposed malware. Another useful characteristic of our defence is that it is capable of blocking general abuse of legitimate digital certificates with dynamic software component loading.


Security Feature-Distribution Malware Software Component 


  1. 1.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: IEEE S&P, San Francisco, CA, USA (2012)Google Scholar
  2. 2.
    Min, B., Varadharajan, V.: Deep analysis on recent malware incidents. Technical report (2012)Google Scholar
  3. 3.
    Kaspersky Lab: Unveiling “Careto” - The Masked APT. Technical report (February 2014)Google Scholar
  4. 4.
    Kaspersky Lab: Gauss: Abnormal Distribution. Technical report (August 2012)Google Scholar
  5. 5.
    Anity Labs: Analysis Report on Flame Worm Samples. Technical report (July 2012)Google Scholar
  6. 6.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier. Technical report (2011)Google Scholar
  7. 7.
    Chien, E., Murchu, L.O., Falliere, N.: W32.Duqu The precursor to the next Stuxnet. Technical report (November 2011)Google Scholar
  8. 8.
    Kwon, T., Su, Z.: Automatic detection of unsafe component loadings. In: ISSTA, Trento, Italy (2010)Google Scholar
  9. 9.
    Tarakanov, D.: Shamoon the Wiper in details (August 2012),
  10. 10.
    Murad, K., Shirazi, S.N.-u.-H., Zikria, Y.B., Ikram, N.: Evading Virus Detection Using Code Obfuscation. In: Kim, T.-h., Lee, Y.-h., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 394–401. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: The Hidden Malware. IEEE Security & Privacy 9(5), 41–47 (2011)CrossRefGoogle Scholar
  12. 12.
    Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in Malware: from Encryption to Metamorphism. International Journal of Computer Science and Network Security 12(8), 74–83 (2012)Google Scholar
  13. 13.
    Oberheide, J., Bailey, M., Jahanian, F.: PolyPack: an automated online packing service for optimal antivirus evasion. In: Proceedings of the 3rd USENIX Workshop on offensive technologies, Montreal, Canada (2009)Google Scholar
  14. 14.
    Alvarez, S., Zoller, T.: The Death of AV Defense in Depth? - revisiting Anti-Virus Software. In: CanSecWest, Vancouver, B.C., Canada (2008)Google Scholar
  15. 15.
    Alvarez, S.: Antivirus (In) Security. In: CCC (Chaos Communication Camp), Finowfurt, Germany (2007)Google Scholar
  16. 16.
    Jana, S., Shmatikov, V.: Abusing File Processing in Malware Detectors for Fun and Profit. In: IEEE Symposium on Security and Privacy (S&P) 2012, San Francisco, CA, USA, pp. 80–94 (2012)Google Scholar
  17. 17.
    Porst, S.: How to really obfuscate your PDF malware. In: ReCon, Montreal, Canada (July 2010)Google Scholar
  18. 18.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: CCS 2012, Raleigh, NC, USA (October 2012)Google Scholar
  19. 19.
    Apple: About the security content of Safari 3.1.2 for Windows (April 2012),
  20. 20.
    Min, B., Varadharajan, V., Tupakula, U.K., Hitchens, M.: Antivirus security: naked during updates. Software: Practice and Experience (April 2013) (accepted)Google Scholar
  21. 21.
    ENISA: Appropriate security measures for smart grids. Technical report (December 2012)Google Scholar
  22. 22.
    PCI Security Standards Council: Payment Card Industry (PCI) Data Security Standard. Technical report (October 2010)Google Scholar
  23. 23.
    US-CERT: Malware Threats and Mitigation Strategies. Technical report (May 2005)Google Scholar
  24. 24.
    Tripwire: Assure system integrity, best of breed file integrity monitoring (2014),
  25. 25.
    Arnold, M.: Tripwire Policy (May 2010),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Byungho Min
    • 1
  • Vijay Varadharajan
    • 1
  1. 1.Advanced Cyber Security Research Centre ,Department of ComputingMacquarie UniversitySydneyAustralia

Personalised recommendations