Breaking Good: Injeção de Payloads Legítimos em Binários Maliciosos para Teste de Robustez de Antivírus contra Evasão

  • Gabriel Lüders UFPR
  • Marcus Botacin UFPR
  • Fabrício Ceschin UFPR
  • André Grégio UFPR
DOI: https://doi.org/10.5753/sbseg_estendido.2020.19273

Abstract


Antiviruses (AVs) are important defensive solutions (very often the only available way to protect a system against threats). Therefore, AV testing should consider multiple other aspects than just the detection rate accomplished from known-bad samples scanning. Although the detection rate is a popular metric, AVs resistance against attacks to their own engines is usually overlooked. To bridge this gap, we present a solution able to generate evasive samples, i.e., malware disguised as benign software, and submit them to a committee of AVs so as to verify their robustness. We implemented our proposed solution in Python, enabling multiple techniques for payload injection on it, either into malicious files, as well as into benign ones.

References

Alam, S., Traore, I., and Sogukpinar, I. (2014). Current trends and the future of metamorphic malware detection. In Proceedings of the 7th International Conference on Security of Information and Networks, SIN ’14, page 411–416, New York, NY, USA. Association for Computing Machinery.

Anh Quynh, N., Sheng Di, T., Nagy, B., and Hoang Vu, D. (2019). Capstone engine. https://www.capstone-engine.org/.

Botacin, M., Ceschin, F., de Geus, P., and Grégio, A. (2020). We need to talk about antiviruses: Challenges & pitfalls of av evaluations. Computers & Security, page 101859.

Carrera, E. (2019). Pefile python handler. https://pypi.org/project/pefile/.

Ceschin, F., Botacin, M., Gomes, H. M., Oliveira, L. S., and Grégio, A. (2019). Shallow security: On the creation of adversarial variants to evade machine learning-based malware detectors. In Proceedings of the 3rd Reversing and Offensive-Oriented Trends Symposium, ROOTS’19, New York, NY, USA. Association for Computing Machinery.

Ceschin, F., Pinage, F., Castilho, M., Menotti, D., Oliveira, L. S., and Gregio, A. (2018). The need for speed: An analysis of brazilian malware classifers. IEEE Security Privacy, 16(6):31–41.

Cheron, A. (2017). Code injection with python. https://axcheron.github.io/code-injection-with-python/.

Chronicle Security (2020). Virus total api. https://developers.virustotal.com/reference#getting-started.

Filar, B. (2020). Malware bypass research using reinforcement learning. https://github.com/bfilar/malware_rl.

R1kk3r (2019). Obfuscator-llvm. https://github.com/obfuscator-llvm/obfuscator/wiki.

Tasiopoulos, V. G. and Katsikas, S. K. (2014). Bypassing antivirus detection with encryption. In Proceedings of the 18th Panhellenic Conference on Informatics, PCI ’14, page 1–2, New York, NY, USA. Association for Computing Machinery.
Published
2020-10-13
How to Cite

Select a Format
LÜDERS, Gabriel; BOTACIN, Marcus; CESCHIN, Fabrício; GRÉGIO, André. Breaking Good: Injeção de Payloads Legítimos em Binários Maliciosos para Teste de Robustez de Antivírus contra Evasão. In: TOOLS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 20. , 2020, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2020 . p. 80-87. DOI: https://doi.org/10.5753/sbseg_estendido.2020.19273.

Most read articles by the same author(s)

1 2 3 > >>