Abstract
While different works tested antiviruses (AVs) resilience to obfuscation techniques, no work studied AVs looking at the big picture, that is including their modern components (e.g., emulators, heuristics). As a matter of fact, it is still unclear how AVs work internally. In this paper, we investigate the current state of AVs proposing a methodology to explore AVs capabilities in a black-box fashion. First, we craft samples that trigger specific components in an AV engine, and then we leverage their detection outcome and label as a side channel to infer how such components work. To do this, we developed a framework, crAVe, to automatically test and explore the capabilities of generic AV engines. Finally, we tested and explored commercial AVs and obtained interesting insights on how they leverage their internal components.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
SHA256: 06c62c4cb38292fb35f2c2905fce2d96f59d2d461fa21f7b749febfed3ef968d.
References
VirusTotal, About Page. https://www.virustotal.com/en/about/
Just-In-Time Malware Assembly: Advanced Evasion Techniques. Invincea white paper (2015)
Al-Saleh, M.I., Crandall, J.R.: Application-level reconnaissance: timing channel attacks against antivirus software. In: LEET (2011)
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: AVLeak: fingerprinting antivirus emulators through black-box testing. In: USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, Austin, TX (2016)
Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior inmodern malware, June 2008
Christodorescu, M., Jha, S.: Testing Malware Detectors. In: SIGSOFT Software Engineering Notes, July 2004
AV comparatives: Independent tests of anti-virus software
Cova, M.: Uncloaking Advanced Malware: How to Spot and Stop an Evasion (2015)
Dalla Preda, M., Maggi, F.: Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology. J. Comput. Virol. Hacking Tech. 13, 209–232 (2017)
Economou, K.: Escaping the avast sandbox using a single IOCTL (2016)
Ferrie, P.: Attacks on more virtual machine emulators (2007)
Ilsun, Y., Kangbin, Y.: Malware obfuscation techniques: A brief survey (2010)
Jung, P.: Bypassing sandboxes for fun (2014)
Keragala, D.: Detecting malware and sandbox evasion techniques (2016)
Marpaung, J.A.P., Sain, M., Lee, H.-J.: Survey on malware evasion techniques: State of the art and challenges, Feb 2012
Mourad, H.: Sleeping your way out of the sandbox (2015)
Nasi, E.: Bypass antivirus dynamic analysis (2014)
Ormandy, T.: Comodo antivirus: emulator stack buffer overflow handling psubusb packed subtract unsigned with saturation
Ormandy, T.: Comodo: integer overflow leading to heap overflow in win32 emulation
Ormandy, T.: Eset nod32 heap overflow unpacking epoc installation files
Ormandy, T.: Symantec/norton antivirus aspack remote heap/pool memory corruption vulnerability cve-2016-2208 (2016)
Ormandy, T.: Sophail: a critical analysis of sophos antivirus (2011)
Ormandy, T.: Sophail: applied attacks against sophos antivirus (2012)
Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies WOOT 2009. USENIX Association, Berkeley, CA, USA (2009)
Philips, L.: Hanging on the metaphone. Comput. Lang. 7, 39–44 (1990)
Rad, B.B., Masrom, M., Ibrahim, S.: Camouflage in malware : from encryption to metamorphism. IJCSNS 12, 74 (2012)
Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey. CoRR (2011)
Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11
Sharma, A., Sahay, S.K.: Evolution and detection of polymorphic and metamorphic malwares: a survey. Int. J. Comput. Appl. (2014)
Singh, S.: Breaking the sandbox (2014)
Sukwong, O., Kim, H., Hoe, J.: Commercial antivirus software effectiveness: an empirical study. Computer, March 2011
Szor, P.: The Art of Computer Virus Research and Defense. Pearson Education, London (2005)
Wressnegger, C., Freeman, K., Yamaguchi, F., Rieck, K.: Automatically inferring malware signatures for anti-virus assisted attacks. In: Proceedings of the ACM Asia Conference on Computer and Communications Security. ACM (2017)
Acknowledgements
This work has been supported by the Italian Ministry of University and Research FIRB project FACE (Formal Avenue for Chasing malwarE) – grant agreement N. RBFR13AJFT, and by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie – grant agreement N. 690972
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Quarta, D., Salvioni, F., Continella, A., Zanero, S. (2018). Extended Abstract: Toward Systematically Exploring Antivirus Engines. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-93411-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93410-5
Online ISBN: 978-3-319-93411-2
eBook Packages: Computer ScienceComputer Science (R0)