Automatically Inferring Malware Signatures for Inferring Malware Signatures for Anti-Virus Assisted...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Automatically Inferring Malware Signatures for Inferring Malware Signatures for Anti-Virus Assisted...

Automatically Inferring Malware Signaturesfor Anti-Virus Assisted Attacks

Christian Wressnegger*, Kevin Freeman, Fabian Yamaguchi*, and Konrad Rieck*

* Institute of System Security, TU Braunschweig Institute of Computer Science, University of Gttingen

AbstractAlthough anti-virus software has significantly evolved overthe last decade, classic signature matching based on bytepatterns is still a prevalent concept for identifying securitythreats. Anti-virus signatures are a simple and fast detectionmechanism that can complement more sophisticated analysisstrategies. However, if signatures are not designed with care,they can turn from a defensive mechanism into an instrumentof attack. In this paper, we present a novel method forautomatically deriving signatures from anti-virus softwareand discuss how the extracted signatures can be used toattack sensible data with the aid of the virus scanner itself.To this end, we study the practicability of our approachusing four commercial products and exemplary demonstrateanti-virus assisted attacks in three different scenarios.

KeywordsAnti-Virus; Malware; Signatures; Attacks

1. INTRODUCTIONVirus scanners are one of the most common defenses

against security threatsdespite well-known weaknesses andshortcomings. Millions of end hosts run these scanners ona regular basis to check files for infections and detect ma-licious code. Individuals, companies and even governmentorganizations employ anti-virus software for fending off at-tacks at their desktop systems. The success and preva-lence of these products largely build on their simple yetreliable functionality: Files are matched against a databaseof known detection patterns (signatures) which is regularlyupdated by the vendor to account for novel threats. Suchpattern matching can be implemented very efficiently and isable spot all sorts of threats if appropriate and up-to-datesignatures are available [see 3, 58].

Signature-based detection suffers from a well-known draw-back: Unknown threats for which no signatures exist can eas-ily bypass the detection. This problem is further aggravatedby the frequent use of obfuscation in malicious code that

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected]

ASIA CCS 17, April 02 - 06, 2017, Abu Dhabi, United Arab Emiratesc 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.

ISBN 978-1-4503-4944-4/17/04. . . $15.00


obstructs static signature matching [14, 34, 37]. As a conse-quence, a large body of research has focused on developingalternative approaches for analyzing and detecting malicioussoftware, for example, using semantic models [e.g., 10, 11],behavioral analysis [e.g., 13, 28, 31] or network traffic monitor-ing [e.g., 20, 21, 54]. Over the last decade, anti-virus vendorshave increasingly adopted these detection mechanisms tokeep up with malware evolution. Still, signatures based onbyte patterns remain an integral part of security productsand complement more sophisticated detection mechanisms.

Attackers are well aware of the prevalence of virus scannersand the detection mechanisms they employ. Thus, an ad-versary might not only seek means for evasion but also takeadvantage of their presence, for example, by injecting signa-tures into benign content. In 2014 the Bitcoin blockchaincontained the signature of the DOS/STONED malware, trick-ing the Microsoft Security Essentials into falsely identifyingthe file as malware and removing it [62]. The nature andorigin of the incident is unclear and so is the fact whetherthis has been an isolated proof-of-concept, driven by themanual effort of reverse engineering malware signatures orpart of an automated attack.

In this paper, we systematically explore the feasibilityof such anti-virus assisted attacks. We introduce a novelmethod for automatically deriving signatures from commer-cial virus scanners which is agnostic to the particular im-plementation and provides an adversary with byte patternsthat approximate the original signatures without the needto reverse engineer the analysis engine or signature database.With these patterns at hand, the attacker can draw a virusscanners attention to benign data and flag chosen content asmalicious, and thereby selectively block access or delete files.Moreover, we show that such malicious markers do not haveto be injected directly, but may be infiltrated as unprivilegeduser in a way that these end up in the local data store, thatthen gets flagged by the virus scanner.

To assess the feasibility of this attack in practice, we ap-ply our method for signature derivation to four commercialanti-virus products in an empirical study. We find that onaverage 38% of the derived signatures can be approximatedby simple combinations of byte patterns. Several of thesepatterns match text strings, artifacts of packers or environ-ment checks, and are mostly unrelated to the semantics ofthe considered malicious code. Furthermore our study showsthat only 8% of such signatures match patterns, that aredetected by more than one anti-virus product considered inour experiments, enabling an attacker to play off gatewayand end-user security solutions against each other by crafting

target-specific inputs. Finally, we make use of the inferredmalicious markers to demonstrate anti-virus assisted attacksin three different scenarios: 1) covering up password guess-ing, 2) deleting a users emails and 3) facilitating web-basedattacks by removing browser cookies.

In summary we make the following contributions:

Anti-virus assisted attacks. We introduce a newclass of anti-virus assisted attacks that limit access tobenign data by abusing byte-pattern based signaturesand demonstrate their feasibility in different scenarios.

Automatically deriving signatures. We present anovel method for automatically deriving pattern-basedsignatures from virus scanners without the need formanually reverse engineering the software.

Identification of inadequate signatures. In anempirically study with four commercial anti-virus prod-ucts, we identify overly simplistic signatures that buildon short byte patterns of resource or code artifacts andthus are well-suited for the described attacks.

The remainder of the paper is structured as follows: InSection 2 we describe the attack vector and present a briefoverview of anti-virus signatures. We introduce our methodfor deriving signatures in Section 3 and empirically studyits application and results in Section 4. In Section 5 wethen present specific attacks based on malicious markers anddiscuss mitigations in Section 6. Limitations and relatedwork are discussed in Section 7 and Section 8, respectively.Section 9 concludes the paper.

2. ANTI-VIRUS ASSISTED ATTACKSOver the last years, numerous software flaws have been

identified in popular anti-virus products [e.g., 25, 42]. Forexample, Ormandy disclosed vulnerabilities in products ofESET [43], Kaspersky [44], AVG [46], FireEye [45] and morerecently Symantec/ Norton [47]. These findings are especiallycritical as the corresponding products are employed in manynetwork and host defenses. According to leaked internaldocuments, even the NSA and GHCQ have set their handson anti-virus software to infiltrate networks [16].

We advance this line of work and present a novel class ofanti-virus assisted attacks, called malicious markers, thatdoes not rely on exploiting vulnerabilities but is based on theweak design of pattern-based signatures. Although modernanti-virus products comprise several different detection mech-anisms, signatures based on byte patterns are still widelyused as a complementary tool. In the following, we introducemalicious markers as attack vector (Section 2.1) and lookupon anti-virus signatures that can be used to execute thisunique type of attack (Section 2.2).

2.1 Attack VectorAny initially benign data that at some point in time con-

tains malware or its payload clearly has to be consideredharmful by an AV product. A file can thus be trivially flaggedas malicious by injecting malware. However, in case only acouple of carefully selected byte patterns are added to a filethat do not represent malicious functionality but happen tomatch a signature deployed by virus scanners, the situationis not necessarily as clear anymore.

Ideally, malware signatures capture malicous functionality.In practice however, byte-pattern based signatures often

match resources, wrongly aligned code, import tables orcompressed data. Even worse, if the virus scanner does notconsider additional context for its decision, signatures canbe freely moved to other files. Malicious markers rely onimplanting such overly simplistic malware signatures intobenign data to raise false alarms.

In the most trivial case an attacker would achieve such animplant by directly manipulating the targeted files. However,having direct (privileged) access would give rise to severalother, way more powerful attacks than deleting or restrictingaccess to data. Malicious markers on the contrary allow tooperate on a more subtle setting where a remote attacker hasno direct access but is able to remotelycontribute to a localfile. Inadequate signatures that do