Advertisement

Partial Evaluation for Java Malware Detection

  • Ranjeet Singh
  • Andy KingEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8981)

Abstract

The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. To circumvent detection by anti-virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products.

Keywords

Method Call Partial Evaluation Partial Evaluator Obfuscation Technique Binding Time Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Rapid 7. Java Applet JMX Remote Code Execution (2013)Google Scholar
  2. 2.
    Rapid 7. Metasploit (2014)Google Scholar
  3. 3.
    Andersen, L.: Binding-time analysis and the taming of C pointers. In: PEPM, pp. 47–58. ACM (1993)Google Scholar
  4. 4.
    Braux, M., Noyé, J.: Towards partially evaluating reflection in Java. In: PEPM, pp. 2–11. ACM (2000)Google Scholar
  5. 5.
    Christodorescu, M., Jha, S., Kinder, J., Katzenbeisser, S., Veith, H.: Software transformations to improve malware detection. J. Comput. Virol. 3(4), 253–265 (2007)CrossRefGoogle Scholar
  6. 6.
    Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley, Boston (2009)Google Scholar
  7. 7.
    Dalla Preda, M., Christodorescu, M., Jha, S., Debray, S.: A Semantics-based Approach to Malware Detection. ACM TOPLAS, 30 (2008)Google Scholar
  8. 8.
    Einarsson, A., Nielsen, J.D.: A Survivor’s Guide to Java Program Analysis with Soot. Technical report (2008)Google Scholar
  9. 9.
    Flexeder, A., Petter, M., Seidl, H.: Side-effect analysis of assembly code. In: Yahav, E. (ed.) Static Analysis. LNCS, vol. 6887, pp. 77–94. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Giacobazzi, R., Jones, N.D., Mastroeni, I.: Obfuscation by partial evaluation of distorted interpreters. In: PEPM, pp. 63–72. ACM (2012)Google Scholar
  11. 11.
    Hirzel, M., Diwan, A., Hind, M.: Pointer analysis in the presence of dynamic class loading. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 96–122. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  12. 12.
    Livshits, B., Whaley, J., Lam, M.S.: Reflection analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  13. 13.
    McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2(4), 308–320 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    National Institute of Standards and Technology. Vulnerability Summary for CVE-2013-3346 (2013)Google Scholar
  15. 15.
    OWASP. Metasploit Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681) (2013)Google Scholar
  16. 16.
    Park, J.-G., Lee, A.H.: Removing reflection from Java Programs using partial evaluation. In: Matsuoka, S. (ed.) Reflection 2001. LNCS, vol. 2192, pp. 274–275. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  17. 17.
    Schlumberger, J., Kruegel, C., Vigna, G.: Jarhead: analysis and detection of malicious Java applets. In: ACSAC, pp. 249–257. ACM (2012)Google Scholar
  18. 18.
    Shali, A., Cook, W.R.: Hybrid partial evaluation. In: OOPSLA, pp. 375–390. ACM (2011)Google Scholar
  19. 19.
    Sistemas, H.: VirusTotal Analyses Suspicious Files and URLs (2014). https://www.virustotal.com/
  20. 20.
    Valleé Rai, R., Hendren, L.J.: Jimple: Simplifying Java Bytecode for Analyses and Transformations. Technical report TR-1998-4. McGill University (1998)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of ComputingUniversity of KentKentUK

Personalised recommendations