Automatic generation of vaccines for malware immunization
Zhaoyan Xu2012, Proceedings of the 2012 ACM conference on Computer and communications security
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Inspired by the biological vaccines, we explore the possibility of developing similar vaccines for malware immunization. We provide the first systematic study towards this direction and present a prototype system, AGAMI, for automatic generation of vaccines for malware immunization. With a novel use of several dynamic malware analysis techniques, we show that it is possible to extract a lightweight vaccine from current malware, and after injecting such vaccine on clean machines, they can be immune from future infection from the same malware family. We evaluate AGAMI on a large set of real-world malware samples and successfully extract working vaccines for many families such as Conficker and Zeus. We believe it is an appealing complementary technique to existing malware defense solutions.
Related papers
AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization
2013 IEEE 33rd International Conference on Distributed Computing Systems, 2013
Malware often contains many system-resourcesensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware code, and manipulate the environment state as vaccines, we would then be able to immunize a computer from infections. Towards this end, this paper provides the first systematic study and presents a prototype system, AUTOVAC, for automatically extracting the system resource constraints from malware code and generating vaccines based on the system resource conditions. Specifically, through monitoring the data propagation from system-resource-related system calls, AUTOVAC automatically identifies the environment related state of a computer. Through analyzing the environment state, AUTOVAC automatically generates vaccines. Such vaccines can be then injected into other computers, thereby being immune from future infections from the same malware or its polymorphic variants. We have evaluated AUTOVAC on a large set of real-world malware samples and successfully extracted working vaccines for many families including high-profile Conficker, Sality and Zeus. We believe AUTOVAC represents an appealing technique to complement existing malware defenses.
AUTOVAC: Towards Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization
2013
Malware often contains many system-resourcesensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware code, and manipulate the environment state as vaccines, we would then be able to immunize a computer from infections. Towards this end, this paper provides the first systematic study and presents a prototype system, AUTOVAC, for automatically extracting the system resource constraints from malware code and generating vaccines based on the system resource conditions. Specifically, through monitoring the data propagation from system-resource-related system calls, AUTOVAC automatically identifies the environment related state of a computer. Through analyzing the environment state, AUTOVAC automatically generates vaccines. Such vaccines can be then injected into other computers, thereby being immune from future infections from th...
Enhancing Malware Detection using Innate Immunization
The massive amount of malware created everyday made the process of malware detection is a significant process to protect data and systems. The methods used are varying from signature based to behavior based, and from static to dynamic detection. Detection accuracy is the main obstacles facing the researchers in this field. Artificial immune system is one of the methods used frequently these days because of its ability to simulate the human immune system and take advantage of its strength in the detection of diseases. In this paper we introduce a dynamic hybrid signature-behavior base model by applying the innate immune system to enhance the detection accuracy. The proposed model is using the portable executable (PE) file representation and API call logs extracted from windows environment because of the wide spread of this type of files in different platforms. The results show that the proposed model accomplishes a better performance in detection of known malware, new unknown malware and polymorphic malware.
An Evaluation of Current Malware Trends and Defense Techniques: A Scoping Review with Empirical Case Studies
Journal of advances in information technology, 2024
attackers and defenders makes the malware ecosystems highly volatile, dynamic, stochastic, and unpredictable. The volatility of the ecosystem means that, both attackers and defenders are innovating to outwit each other, which requires regular evaluation to establish gaps for remediation. In this paper, the aim was to establish current malware trends, comparative weaknesses and strengths of existing malware defenses, the identification of research gaps and a proposal of future directions to malware defense. We adopted a scoping review with empirical case studies using data from extant literature and industrial sources for the study. The results revealed that, current malware are targeted, unknown, persistent and stealth and are increasing in volumes, variety and complexity. Attackers adopt innovative modes of transmission to spread malware from one network to another and use both anti-static and advanced forms of obfuscation to evade detection. The poor adaptability, learnability, memorability and generalizability of signature-based detection methods such as static, dynamic, hybrid makes ML algorithms the state-of-art, but they also show instability in classification, poor and redundant features, class imbalance and the associated "accuracy paradox", and poor resilience to detecting previously unknown malware. Additionally, user and organizational vulnerabilities also exacerbates the defense challenge. The paper concluded that with the increasing sophistication in malware, ensuring holistic malware defense requires novel techniques that addresses these gaps. This implies that, current research should refocus on providing hybrid defense approaches that are not only technical in nature but also non-technical leading to the provision of improved holistic malware defense.
A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation
IEEE Transactions on Dependable and Secure Computing, 2020
A promising avenue for improving the effectiveness of behavioral-based malware detectors is to leverage two-phase detection mechanisms. Existing problem in two-phase detection is that after the first phase produces borderline decision, suspicious behaviors are not well contained before the second phase completes. This paper improves CHAMELEON, a framework to realize the uncertain environment. CHAMELEON offers two environments: standardfor software identified as benign by the first phase, and uncertainfor software received borderline classification from the first phase. The uncertain environment adds obstacles to software execution through random perturbations applied probabilistically. We introduce a dynamic perturbation threshold that can target malware disproportionately more than benign software. We analyzed the effects of the uncertain environment by manually studying 113 software and 100 malware, and found that 92% malware and 10% benign software disrupted during execution. The results were then corroborated by an extended dataset (5,679 Linux malware samples) on a newer system. Finally, a careful inspection of the benign software crashes revealed some software bugs, highlighting CHAMELEON's potential as a practical complementary antimalware solution.
Malicious Code Detection Architecture Inspired by Human Immune System
2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2008
Malicious code is a threat to computer systems globally. In this paper, we outline the evolution of malicious code attacks. The threat is evolving, leaving challenges for attackers to improve attack techniques and for researchers and security specialists to improve detection accuracy. We present a novel architecture for an effective defense against malicious code attack, inspired by the human immune system. We introduce two phases of program execution: Adolescent and Mature Phase. The first phase uses a malware profile matching mechanism, whereas the second phase uses a program profile matching mechanism. Both mechanisms are analogous to the innate immune system.
Automatic Generation of Remediation Procedures for Malware Infections
Proc. of the 19th Usenix …, 2010
Despite the widespread deployment of malware-detection software, in many situations it is difficult to preemptively block a malicious program from infecting a system. Rather, signatures for detection are usually available only after malware have started to infect a large group ...
Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), 2008
Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities-essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.
A framework for automated malcode signatures generation
2010
Rapid malicious codes (malcodes) are self replicating malicious programs that represent a major security threat to the Internet. Fast monitoring and early warning systems are very essential to prevent rapid malcodes spreading. The difficulty in detecting malcodes is that they evolve over time. Although signature-based tools such as network intrusion detection systems are widely used to protect critical systems , traditional signature-based malcode detectors fail to detect obfuscated and previously unseen malcode executables. Automatic signature generation techniques are needed to augment these tools due to the speed at which new vulnerabilities are discovered. In particular, we need automated techniques which generate signatures without mistakenly block legitimate traffic or increase false alarms. This work investigates a technique for automatically generating sound vulnerability signatures of novel rapid malcodes. In this paper, rapid malcode signatures are automatically generated based on their spreading behavior, specially aimed at automatically extracting and deploying signatures on the packet level, without the need for reassembly that could be used by signature-based firewalls network intrusion detection system. Evaluation on Universiti Te knologi Malaysia network corpus shows higher detection accuracy at 87% compare to 56% for Snort signatures. Moreover, false negative reduces to 14% compared to 78% for Snort signatures.
Towards automated malware creation
Proceedings of the 29th Annual ACM Symposium on Applied Computing - SAC '14, 2014
The analogies between computer malware and biological viruses are more than obvious. The very idea of an artificial ecosystem where malicious software can evolve and autonomously find new, more effective ways of attacking legitimate programs and damaging sensitive information is both terrifying and fascinating. The paper proposes two different ways for exploiting an evolutionary algorithm to devise malware: the former targeting heuristic-based antivirus scanner; the latter optimizing a Trojan attack. Testing the stability of a system against attacks, or checking the reliability of the heuristic scan of anti-virus software could be interesting for the research community and advantageous to the IT industry. Experimental results shows the feasibility of the proposed approaches on simple real-world test cases. A short paper on the same subject appeared at the 29 th Symposium On Applied Computing (SAC'14).
Towards a testbed for malicious code detection
a testbed would allow one to examine a program to ascertain if it is suspicious. In the following section. This paper proposes an environment for detecting many we present a taxonomy of malicious code with examtypes of malicious code, including computer viruses, pies. Following the taxonomy, we discuss many of tile Trojan horses, and timet'logic bombs. This malicious known methodsofcopingwith maliciouscode. We Lhen code testbed (MCT) is based upon both static and dy-summarize the progress which has been made at UC ,amic analysis tools developed at the University of Col-Davis. Finally, we propose the idea of the malicious ,fornia, Davis, which have been shown to be .effective code te.stbed, which combines this previous work into a against certain types of malicious code. The testbed ex-more effective system. te,ds the usefulness of these tools by using them in a complementary fashion to detect more general cases of malicious code. Perhaps more importantly, the MCT allows administrators and security analysts to check a 2 Taxonomy of Malicious Code program before installation, thereby avoiding any damage a malicious program might inflict. Computer security should insure that no unauthorized A'eywords: Detection of Malicious Code, Static Analy-actions are carried out on a computer system. Security sis, Dynamic Analysis. is violated when someone succeeds in retrieving data without authorization, destroying or altering data be
Dynamic Analysis of a Window-Based Malware Using Automated sandboxing
Malwares are one of the most dangerous security threats in today's world of fast growing technology. Now, it is not impossible to remotely lock down a system's files for ransoms even when it is located overseas. This threat was accelerated when the world was introduced to cryptocurrency (for e.g., Bitcoins). It allowed the attackers to hide their tracks more efficiently. From a simple idea of testing the efficiency of a computer system to the most critical and sophisticated cyber-attack, malwares has evolved over the years and appeared time to time. Even with the smartest technologies today where we are trying to include Machine learning and Deep learning to every field of our life, the attackers are already developing more sophisticated malwares using the same Machine learning and Deep learning techniques. This raises the question on the security of the cyber-world and how we are able to protect it. In this work, we are presenting an analysis on a recent and most critical Windows malware called "LockerGoga". Both static and dynamic analyses are performed on the malware to understand the behavior and characteristics of the malware.
Manitou: a layer-below approach to fighting malware
2006
Unbeknownst to many computer users, their machines are running malware. Others are aware that strange software inhabits their machine, but cannot get rid of it. In this paper, we present Manitou, a system that provides users with the ability to assign, track and revoke execution privileges for code, regardless of the integrity and type of operating system the machine is using. Manitou is implemented within a hypervisor and uses the per-page permission bits to ensure that any code contained in an executable page corresponds to authorized code. Manitou authenticates code by taking a cryptographic hash of the content of a page right before executing code contained in that page. Our system guarantees that only authorized code can be run on the system.
CTO Roundtable: Malware Defense Overview
ACM Queue, 2010
The Internet has enabled malware to progress to a much broader distribution model and is experiencing a huge explosion of individual threats. There are automated tools that find vulnerable sites, attack them, and turn them into distribution sites. As commerce and the business of daily living migrate online, attacks to leverage information assets for ill-gotten benefit have increased dramatically. Security professionals are seeing more sophisticated and innovative profit models on par with business models seen in the legitimate world. Often a machine's infection signature is unique and completely different from any other, making effective defense all the more difficult to achieve. Some studies have shown that 12 percent of all PCs on the Internet are malware infected, while the infection rate of the consumer-facing PC sector is closer to 25 percent. This difference reflects successful security efforts by IT professionals to secure the nonconsumer PC sector and shows that there are mechanisms to reduce overall infection risk. Though not intended to replace the in-depth discussion of malware defense by the ACM CTO Roundtable, the following overview should help readers understand the basic scope of the threats in play today and provide a framework to address them and minimize the overall risk of compromise. Many types of malware and payloads exist, but two types in particular cause concern in the consumer and enterprise space. Both capture personal information; some are opportunistic in nature, do not target any specific individual, and are designed to go after anyone who happens to be ensnared, while others focus on specific "high-value" targets. By far the majority of common security issues for end users are the former, and these types of threats typically try to make money by stealing information or resources from the end-user machine. Standard practices such as patching, an up-todate security suite, and strong passwords go a long way toward protecting against these threats.
MEDUSA: MEtamorphic malware dynamic analysis usingsignature from API
2010
Malware detection and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. The traditional signature based detection of malware fails for metamorphic malware which changes its code structurally while maintaining functionality at time of propagation. This category of malware is called metamorphic malware. In this paper we dynamically analyze the executables produced from various metamorphic generators through an emulator by tracing API calls. A signature is generated for an entire malware class (each class representing a family of viruses generated from one metamorphic generator) instead of for individual malware sample. We show that most of the metamorphic viruses of same family are detected by the same base signature. Once a base signature for a particular metamorphic generator is generated, all the metamorphic viruses created from that tool are easily detected by the proposed method. A Proximity Index between the various Metamorphic generators has been proposed to determine how similar two or more generators are.
Advance Dynamic Malware Analysis Using Api Hooking
As in real world, in virtual world also there are people who want to take advantage of you by exploiting you whether it would be your money, your status or your personal information etc. MALWARE helps these people accomplishing their goals. The security of modern computer systems depends on the ability by the users to keep software, OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool (ADVANCE DYNAMIC MALWARE ANAYSIS USING API HOOKING) that will inform you about every task that software (malware) is doing over your machine at run-time Index Terms— API Hooking, Hooking, DLL injection, Detour
Wolfsting: Extending Online Dynamic Malware Analysis Systems by Engaging Malware
2010
MULUKUTLA, VIKRAM. Wolfsting: Extending Online Dynamic Malware Analysis Systems by Engaging Malware. (Under the direction of Dr. Douglas S. Reeves). Malware has evolved into a major threat to both personal and business computing, with professional programmers being hired to create highly customizable and targeted malware packages. Malware analysis research has also evolved from simple signature based schemes to sophisticated static, dynamic and hybrid analysis methods that can detect and classify malicious behavior. A useful class of tools, termed online dynamic malware analyzers, is used by researchers to generate detailed reports of malware binary execution. These tools consist of virtualized or emulated environments wherein a binary executable is run and every system call invoked by processes spawned by the executable within the analysis system is recorded. It is desirable to combine the positive aspects of low overhead and ease of use found in online dynamic malware analyzers with the key goal of eliciting more identifiable and traceable malicious behavior. To this end, we present Wolfsting, a fully automated dynamic analysis system that incorporates virtualization technology, kernel level system call hooking and a unique method of comparing system calls from isolated executions of a malware instance. Wolfsting augments bare-bones operating system installations normally used in online malware dynamic analysis systems to contain the exact environment that malware processes look for, in terms of OS objects such as files, processes and system configuration settings. Wolfsting also simulates a user attempting to remove malware from a system with the intent of eliciting defensive behavior from malware such as disabling antivirus and anti-malware functionality. Results show that by presenting such an environment to malware processes, Wolfsting is able to force recent and infamous malware instances such as ZBot to execute more of their malicious codebase, with a fixed analysis time and low runtime overhead.
Dynamic Analysis of Malicious Code and Response System
2010
Malicious code detection and removal is critical to the security of a computer system. Virus scanners rely on a database of known signatures for viruses and malware for detection. This research paper presents novel methodologies and tools to detect any malicious code present on windows based machine dynamically, and can be used as a preventive measure to protect the system from being infected. Malicious code analysis can be static and dynamic. Dynamic code analysis has a greater edge over static code analysis as the instructions are analyzed at runtime. Thus polymorphic malware can also be detected. The work presented in this paper uses a newly designed dynamic code technique in conjunction with a developed minifilter driver for malware detection. It runs in a virtual environment to perform the analysis, thus making it impossible for malwares to detect the presence of the developed tool. The minifilter driver is used to monitor the windows API calls, registry changes and used to gen...
GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted Environment
Lecture Notes in Computer Science, 2014
A critical challenge when combating malware threat is how to efficiently and effectively identify the targeted victim's environment, given an unknown malware sample. Unfortunately, existing malware analysis techniques either use a limited, fixed set of analysis environments (not effective) or employ expensive, time-consuming multi-path exploration (not efficient), making them not well-suited to solve this challenge. As such, this paper proposes a new dynamic analysis scheme to deal with this problem by applying the concept of speculative execution in this new context. Specifically, by providing multiple dynamically created, parallel, and virtual environment spaces, we speculatively execute a malware sample and adaptively switch to the right environment during the analysis. Interestingly, while our approach appears to trade space for speed, we show that it can actually use less memory space and achieve much higher speed than existing schemes. We have implemented a prototype system, GOLDENEYE, and evaluated it with a large real-world malware dataset. The experimental results show that GOLDENEYE outperforms existing solutions and can effectively and efficiently expose malware's targeted environment, thereby speeding up the analysis in the critical battle against the emerging targeted malware threat.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.