Instruction-Level Steganography for Covert Trigger-Based Malware - (Extended Abstract)

@inproceedings{Andriesse2014InstructionLevelSF,  title={Instruction-Level Steganography for Covert Trigger-Based Malware - (Extended Abstract)},  author={Dennis Andriesse and Herbert Bos},  booktitle={International Conference on Detection of intrusions and malware, and vulnerability assessment},  year={2014},  url={https://api.semanticscholar.org/CorpusID:4634611}}
This work introduces a new code hiding approach for trigger-based malware, which conceals malicious code inside spurious code fragments in such a way that it is invisible to disassemblers and static backdoor detectors.

20 Citations

The ROP needle: hiding trigger-based injection vectors via code reuse

A stealthy injection vector design approach based on Return Oriented Programming (ROP) code reuse that provides the ability to defer the specification of the malicious behavior until the attack is struck, allowing fine-grained targeting of the malware and reuse of the same infection vector for delivering multiple payloads over time.

Data Hiding Using Code Obfuscation

Results confirm that the core idea of the proposed information hiding method is to replace some randomly generated strings being a part of the introduced dead code with the encoded secret message, which can be easily adopted for data hiding, thus countermeasures need to be adjusted accordingly.

Practical Enclave Malware with Intel SGX

This work practically demonstrate the first enclave malware which fully and stealthily impersonates its host application, and demystify the enclave malware threat and lay ground for future research on defenses against enclave malware.

Exploiting Trust in Deterministic Builds

The problem of crafting hidden code that is difficult to detect, both during code reviews of the source code as well as static analysis of the binary executable is addressed and it is shown that the displacement and immediate fields of an instruction can be used the embed hidden code directly from the C programming language.

On Offensive and Defensive Methods in Software Security

This thesis presents new methods contributing to the area of software security, where the offensive methods mostly deal with how an attacker can embed malicious code in a stealthy manner, and the defensive methods aims at detecting some form of attack.

On the Dissection of Evasive Malware

BluePill offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, is extensible to counteract newly encountered anti-analysis measures using insights from the dissection, and can accommodate program analyses that aid analysts, as the authors explore for taint analysis.

Backdoor detection systems for embedded devices

This thesis presents two backdoor detection methodologies, as well as corresponding tools which implement those approaches, and demonstrates that their approaches are capable of analysing device firmware at scale and can be used to discover previously undocumented real-world backdoors.

Return-Oriented Programming on RISC-V

This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new

CAVAEva: An Engineering Platform for Evaluating Commercial Anti-malware Applications on Smartphones

CAVAEva is designed, an engineering platform for commercial anti-malware application evaluation, in which users/researchers have the capability to configure the platform based on their needs and requirements, and experimental results demonstrate the potential utility of the platform in evaluating commercialAnti-Malware software in a real-world smartphone deployment.

Backdoors: Definition, Deniability and Detection

A framework for reasoning about backdoors through four key components is presented, which allows them to be modelled succinctly and provides a means of rigorously defining the process of their detection and the notion of deniability in regard to backdoor implementations.

20 References

Impeding Malware Analysis Using Conditional Code Obfuscation

This work has implemented a compiler-level tool that takes a malware source program and automatically generates an obfuscated binary and provides insight into the strengths, weaknesses, and possible ways to strengthen current analysis approaches in order to defeat this malware obfuscation technique.

Towards reducing the attack surface of software backdoors

This paper applies variations of the delta debugging technique and introduces several novel heuristics for the identification of those regions in binary application that backdoors are typically installed in and strives for an automated identification and elimination of backdoors in binary applications.

Exploring Multiple Execution Paths for Malware Analysis

A system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met is proposed, which enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out.

Rotalumè: A Tool for Automatic Reverse Engineering of Malware Emulators

The first work in automatic reverse engineering of malware emulators is presented, which accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.

Automatic Reverse Engineering of Malware Emulators

The first work in automatic reverse engineering of malware emulators is presented, which accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.

Jekyll on iOS: When Benign Apps Become Evil

A novel attack method is presented that allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process, and to introduce malicious control flows by rearranging signed code.

Research in Attacks, Intrusions and Defenses

In a thorough evaluation of blacklist effectiveness, it is shown to what extent real-world malware domains are actually covered by blacklists, and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms.

Opaque Predicates Detection by Abstract Interpretation

Code obfuscation and software watermarking are well known techniques designed to prevent the illegal reuse of software. Code obfuscation prevents malicious reverse engineering, while software

Manufacturing cheap, resilient, and stealthy opaque constructs

The design of a Java code obfuscator is described, a tool which - through the application of code transformations - converts a Java program into an equivalent one that is more difficult to reverse engineer.

Binary-code obfuscations in prevalent packer tools

This survey consolidates the discussion of obfuscations in real-world malware, and quantifies the relative prevalence of these obfuscations by using the Dyninst binary analysis and instrumentation tool that was recently extended for defensive malware analysis.

Related Papers

Showing 1 through 3 of 0 Related Papers