Kötücül yazılımların tespitinde imza temelli ve dinamik analiz yöntemlerinin zayıflıkları: Örnek olay çalışması

Year 2022, Volume: 37 Issue: 1, 305 - 316, 10.11.2021

Derviş Aygör Ertuğrul Aktan

https://doi.org/10.17341/gazimmfd.668290

Abstract

Kötücül yazılımlar, süregelen evrimi nedeniyle günümüzde de birçok bilgisayarı etkilemeye devam etmektedir. Kötücül yazılımların amacı hedef sistemleri manipüle etmek olduğundan, bu amacın önündeki en büyük engellerden biri konumunda olan antivirüs yazılımlarının atlatılması için birçok yöntem geliştirilmiştir. Bu çalışmada; kod enjeksiyonu, anti-dinamik modifikasyon ve şifreleme adımlarından oluşan deneysel metotla manipüle edilen masum bir programın, imza ve dinamik analiz temelli antivirüs yazılımlarını büyük ölçüde atlatabildiği gösterilmiştir. Masum bir program olarak Notepad++ metin editörü, kötücül kod üretmek için Metasploit zafiyet analiz ve test çatısı, anti-dinamik modifikasyon için Ollydbg hata ayıklayıcısı ve kötücül yazılım analizi için Virustotal platformu kullanılmıştır. Virustotal sonuçlarına bakıldığında; masum program içerisine enjekte edilmiş kötücül kod başlangıçta 30/67 adet antivirüs yazılımı tarafından tespit edilmiş, fakat anti-dinamik modifikasyon ve şifreleme uygulandıktan sonra bu değer, sırasıyla 9/67 ve 4/66 adede düşmüştür. Özetle birçok antivirüs yazılımının, farklı anti-tespit yöntemleri ile atlatılabildiği anlaşılmıştır. Bu sonuç, mevcut antivirüs çözümlerinin yanı sıra kum havuzu teknolojisi gibi farklı güvenlik yaklaşımlarına ihtiyaç olduğunu ortaya koymaktadır.

Keywords

Kötücül yazılım, antivirüs, imza temelli tespit, antivirüs atlatma teknikleri

The limitations of signature-based and dynamic analysis methods in detecting malwares: A case study

Abstract

Malware continues to affect many computers even today owing to its ongoing evolution. Since the purpose of malware is to manipulate target systems, many methods have been developed to evade antiviruses, one of the major obstacles to this goal. In this study; it has been shown that an innocent program manipulated with the experimental method that consists of code injection, anti-dynamic modification and encryption, evades many antivirus solutions based on signature or dynamic analysis. As an innocent program, Notepad++ text editor; to generate malicious code, Metasploit vulnerability analysis and test framework; for anti-dynamic modification, Ollydbg debugger and for malware analysis, Virustotal platform were used. According to Virustotal results, the malicious code injected into an innocent program was initially detected by different 30/67 antivirus solutions, but after performing anti-dynamic modification and encryption, these results dropped to 9/67 and 4/66 respectively. In summary, it is seen that many antivirus solutions can be evaded by different anti-detection methods. This result reveals that different security approaches such as sandbox technology are needed besides current antivirus solutions.

Keywords

Malware, antivirus, signature-based detection, antivirus evasion techniques

References

• Abomhara M., Køien G.M., Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks, Journal of Cyber Security and Mobility, 4 (4), 65-88, 2015.
• Ranveer S., Hiray S., Comparative Analysis of Feature Extraction Methods of Malware Detection, International Journal of Computer Applications, 120 (5), 1-7, 2015.
• Neumann J.V., Theory of Self-Reproducing Automata, Editör: Burks A.W., University of Illinois Press, Illinois, USA, 1966.
• Barria C., Cordero D., Cubillos C., Palma M., Proposed Classification of Malware, Based on Obfuscation, 6th International Conference on Computers Communications and Control (ICCCC), Oradea-Romania, 37-44, 10-14 May, 2016.
• Fosnock C., Computer Worms: Past Present and Future, East Carolina University Technical Report, 2005.
• Imran M., Afzal M.T., Qadir, M.A., A Comparison of Feature Extraction Techniques for Malware Analysis, Turkish Journal of Electrical Engineering and Computer Sciences, 25, 1173-1183, 2017.
• Hughes L.A., DeLone, G.J., Viruses, Worms, and Trojan Horses: Serious Crimes, Nuisance, or Both?, Social Science Computer Review, 25 (1), 78-98, 2007.
• Canbek G., Sağıroğlu Ş., Kötücül ve Casus Yazılımlar: Kapsamlı Bir Araştırma, Journal of the Faculty of Engineering and Architecture of Gazi University, 22 (1), 121-136, 2007.
• Kara I., A Basic Malware Analysis Method, Computer Fraud & Security, 2019 (6), 11-19, 2019.
• Veerappan C.S., Keong P.L.K., Tang Z., Tan F., Taxonomy on Malware Evasion Countermeasures Techniques, IEEE 4th World Forum on Internet of Things (WF-IoT), Singapore, 558-563, 5-8 February, 2018.
• Ye Y., Li T., Adjeroh D., Iyengar S.S., A Survey on Malware Detection Using Data Mining Techniques, ACM Computing Surveys (CSUR), 50 (3), 41:1-40, 2017.
• Nachenberg C., Computer Virus-Antivirus Coevolution, Communications of the ACM, 40 (1), 46-51, 1997.
• Zarghoon A., Awan I., Disso J.P., Dennis R., Evaluation of AV Systems Against Modern Malware, 12th International Conference for Internet Technology and Secured Transactions (ICITST), Cambridge-UK, 269-273, 11-14 December, 2017.
• Al-Asli M., Ghaleb T.A., Review of Signature-Based Techniques in Antivirus Products, 2019 International Conference on Computer and Information Sciences (ICCIS), Sakaka-Saudi Arabia, 1-6, 3-4 April, 2019.
• Li J., Li Q., Zhou S., Yao Y., Ou J., A Review on Signature-Based Detection for Network Threats, IEEE 9th International Conference on Communication Software and Networks (ICCSN), Guangzhou-China, 1117-1121, 6-8 May, 2017.
• Lee J., Jo M.J., Shin J.S., LigeroAV: A Light-Weight, Signature-Based Antivirus for Mobile Environment, IEICE Transactions on Information and Systems, E99.D (12), 3185-3187, 2016.
• Abbas M.F.B., Srikanthan T., Low-Complexity Signature-Based Malware Detection for IoT Devices, Applications and Techniques in Information Security, 719, 181-189, 2017.
• Alzahrani A.J., Ghorbani A.A., Real-Time Signature-Based Detection Approach for SMS Botnet, 13th Annual Conference on Privacy, Security and Trust, İzmir-Türkiye, 157-164, 21-23 Temmuz, 2015.
• Rad B.B., Masrom M., Ibrahim S., Camouflage in Malware: From Encryption to Metamorphism, International Journal of Computer Science And Network Security (IJCSNS), 12 (8), 74-83, 2012.
• Szor P., The Art of Computer Virus Research and Defense, 1st Edition, Editörs: Gettman K., Goldstein J., Kanouse G., Hart K., Andry C., Addison-Wesley, Maryland, USA, 2005.
• Namanya A.P., Cullen A., Awan I.U., Disso J.P., The World of Malware: An Overview, IEEE 6th International Conference on Future Internet of Things and Cloud (FiCloud), Barcelona-Spain, 420-427, 6-8 August, 2018.
• Courtney M., States of Cyber Warfare, Engineering & Technology, 12 (3), 22-25, 2017.
• AV-TEST Independent IT-Security Institute. Malware. https://www.av-test.org/en/statistics/malware/. Yayın tarihi Ocak, 2010. Erişim tarihi Ağustos 11, 2019.
• Sharma A., Sahay S.K., Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey, International Journal of Computer Applications, 90 (2), 7-11, 2014.
• Singh J., Singh J., Challenges of Malware Analysis: Obfuscation Techniques, International Journal of Information Security Science, 7 (3), 100-110, 2018.
• Rieck K., Trinius P., Willems C., Holz T., Automatic Analysis of Malware Behavior Using Machine Learning, Journal of Computer Security, 19 (4), 639-668, 2011.
• Deka D., Sarma N., Panicker N.J., Malware Detection Vectors and Analysis Techniques: A Brief Survey, 2016 International Conference on Accessibility to Digital World (ICADW), Guwahati-India, 81-85, 16-18 December, 2016.
• Jadhav A., Vidyarthi D., Hemavathy M., Evolution of Evasive Malwares: A Survey, 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT), New Delhi-India, 641-646, 11-13 March, 2016.
• Soliman S.W., Sobh M.A., Bahaa-Eldin A.M., Taxonomy of Malware Analysis in the IoT, 12th International Conference on Computer Engineering and Systems (ICCES), Cairo-Egypt, 519-529, 19-20 December, 2017.
• Upchurch J., Zhou X., Malware Provenance: Code Reuse Detection in Malicious Software at Scale, 11th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo-Puerto Rico, 1-9, 18-21 October, 2016.
• Cani A., Gaudesi M., Sanchez E., Squillero G., Tonda A., Towards Automated Malware Creation: Code Generation and Code Integration, Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC'14), Gyeongju-Korea, 157-160, 24-28 March, 2014.
• Zarghoon A., Awan I., Disso J.P., Dennis R., Evaluation of AV Systems Against Modern Malware, 12th International Conference for Internet Technology and Secured Transactions (ICITST), Cambridge-UK, 269-273, 11-14 December, 2017.
• Lim C., Suryadi K.R., Kotualubun Y.S., Mal-Flux: Rendering Hidden Code of Packed Binary Executable, Digital Investigation, 28, 83-95, 2019.
• Calleja A., Tapiador J., Caballero J., The MalSource Dataset: Quantifying Complexity and Code Reuse in Malware Development, IEEE Transactions on Information Forensics and Security, 14 (2), 3175-3190, 2019.
• Notepad++. https://notepad-plus-plus.org/repository/7.x/7.7.1/npp.7.7.1.bin.zip. Erişim tarihi Ağustos 11, 2019.
• Stefinko Y., Piskozub A., Banakh R., Manual and Automated Penetration Testing. Benefits and Drawbacks. Modern Tendency, 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET), Lviv-Ukraine, 488-491, 23-26 February, 2016.
• Catak F.O., Ahmet F.Y., A Benchmark API Call Dataset for Windows PE Malware Classification, arXiv:1905.01999v1 [cs.CR], 1-8, 2019.
• Quarta D., Salvioni F., Continella A., Zanero S., Extended Abstract: Toward Systematically Exploring Antivirus Engines, Detection of Intrusions and Malware, and Vulnerability Assessment, 15th International Conference DIMVA, Saclay-France, 393-403, 28-29 June, 2018.
• Novkovic I., Groš S., Can Malware Analysts Be Assisted in Their Work Using Techniques from Machine Learning?, 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija-Croatia, 1408-1413, 30 May-3 June, 2016.
• Vokorokos L., Baláž A., Madoš B., Application Security through Sandbox Virtualization, Acta Polytechnica Hungarica, 12 (1), 83-101, 2015.