Abusing File Processing in Malware Detectors for Fun and Profit

Author

Jana, S. ; Shmatikov, Vitaly

Author_Institution

Univ. of Texas at Austin, Austin, TX, USA

fYear

2012

fDate

20-23 May 2012

Firstpage

80

Lastpage

94

Abstract

We systematically describe two classes of evasion exploits against automated malware detectors. Chameleon attacks confuse the detectors´ file-type inference heuristics, while werewolf attacks exploit discrepancies in format-specific file parsing between the detectors and actual operating systems and applications. These attacks do not rely on obfuscation, metamorphism, binary packing, or any other changes to malicious code. Because they enable even the simplest, easily detectable viruses to evade detection, we argue that file processing has become the weakest link of malware defense. Using a combination of manual analysis and black-box differential fuzzing, we discovered 45 new evasion exploits and tested them against 36 popular antivirus scanners, all of which proved vulnerable to various chameleon and werewolf attacks.

Keywords

file organisation; inference mechanisms; invasive software; operating systems (computers); program testing; abusing file processing; antivirus scanners; automated malware detectors; black-box differential fuzzing; chameleon attacks; file processing; file-type inference heuristics; format-specific file parsing; fun-and-profit; malware defense; manual analysis; operating systems; werewolf attacks; Detectors; HTML; Linux; Malware; Semantics; Testing; Viruses (medical);

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy (SP), 2012 IEEE Symposium on

Conference_Location

San Francisco, CA

ISSN

1081-6011

Print_ISBN

978-1-4673-1244-8

Electronic_ISBN

1081-6011

Type

conf

DOI

10.1109/SP.2012.15

Filename

6234406