“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks

“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks

Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespr...

Full description

Saved in:
Bibliographic Details
Published in:Journal of Computer Virology and Hacking Techniques Vol. 15; no. 4; pp. 233 - 247
Main Authors: Botacin, Marcus, de Geus, Paulo Lício, Grégio, André
Format: Journal Article
Language:English
Published: Paris Springer Paris 01-12-2019
Springer Nature B.V
Subjects:
Computer networks
Computer Science
Malware
Original Paper
Cache side-channel
Malware
DLL injection
Multi-core
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses, or AVs) and malware analysis solutions that are unable to correlate data from multiple sources. In this paper, we propose a technique for distributing the malware functions in several distinct “vanilla” processes to show that AVs can be easily evaded. Therefore, our technique allows malware to interleave of layers of attacks to remain undetected by current AVs. Our goal is to expose a real menace and to discuss it so as to provide insights for the development of better AVs. We discuss the role of distributed and multicore-based malware in current and future threat scenarios with practical examples that we specially crafted for testing (e.g., a distributed sample synchronized via cache side channels). We (i) review multi-threaded/processed implementation issues (from kernel and userland) and present a multi-core-based monitoring solution; (ii) present strategies for code distribution, exemplified via DLL injectors, and discuss their weak and strong points; and (iii) evaluate how real security solutions perform when exposed to distributed malware. We converted real, serial malware to parallel code and showed that current AVs are not fully able to detect multi-core malware.
ISSN:2263-8733
2263-8733
DOI:10.1007/s11416-019-00333-y