Evasion a sandbox, or an analyst. Some malware

Evasion techniques

The term evasion technique groups all the
methods used by malware to avoid detection, analysis, and understanding. The
evasion techniques can be classified into three broad categories, namely,
anti-security techniques, anti-sandbox techniques and anti-analyst techniques.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Anti-security
techniques

These techniques are used to avoid
detection by antimalware engines, firewalls, application containment, or other
tools that protect the environment.

Anti-sandbox
techniques

These techniques are used to detect
automatic analysis and avoid engines that report on the behavior of malware.
Detecting registry keys, files, or processes related to virtual environments
lets malware know if it is running in a sandbox.

Anti-analyst
techniques

These techniques are used to detect and
fool malware analysts, for example, by spotting monitoring tools such as
Process Explorer or Wireshark, as well as some process-monitoring tricks,
packers, or obfuscation to avoid reverse engineering.

Some advanced malware samples employ two
or three of these techniques together. For example, malware can use a technique
like RunPE (which runs another process of itself in memory) to evade
antimalware software, a sandbox, or an analyst. Some malware detects a specific
registry key related to a virtual environment, allowing the threat to evade an
automatic sandbox as well as an analyst attempting to dynamically run the
suspected malware binary in a virtual machine. It is important for security
researchers to understand these evasion techniques to ensure that security
technologies remain viable.

 

Figure
3 Evasion Technique Use by Malware

 

 

Malware
detection on mobile devices

 

The basic differences between a PC and
mobile device are constrained in terms of computation power, memory and limited
battery resources. The targeted exploits of mobile malware are also
significantly different from those on PC due to the differences in operating
systems and hardware. For e.g. Majority of mobile devices are based on the ARM
architecture. Hence, we need to provide due consideration when using the PC
based methods for mobile devices. The detection method must use memory and
computational resources efficiently and not drain the device battery. The
detection method must be cost-efficient to update over the wireless network.

There are two general ways of protecting
the mobile device. One is to offer protection at the device level and the other
is to offer protection at the network level by inspecting packets destined for
the device. Device based protection detects and cleans malware including
viruses, Trojans and spyware that are installed on the device whereas network
based protection looks to detect and prevent intrusions in the network.

 

Malware
Analysis Classification

      All classification approaches
taken in the literature can basically be categorized into two types: (i) based
on features drawn from an unpacked static version of the executable file and
(ii) based on dynamic features of the packed executable file. These approaches
are further classified into signature based, behavior based, hybrid based and
machine learning based approaches. Signature based approaches are simple and
capable to operate online in real time. They detect only known malwares and are
not useful for detecting new, unknown and stealthy malwares. They are less
powerful with respect to evasion techniques (i.e) obfuscation transformations
can easily defeat signature-based detection mechanisms. A signature matching
algorithm is well suited for use in mobile device scanning due to its low
memory requirements. Behavior based approaches are designed for analyzing the
malwares dynamically, thereby allowing it to detect unknown malwares
efficiently. They rely on system call sequences/graphs to
model a malicious specification/pattern. Behavior-based methods and machine
learning methods are dynamic approaches. Anomaly-based approaches, also known
as profile-based approaches, profile the statistical features of normal
traffic. Any deviation from the profile will be treated as suspicious. They
detect previously unknown attacks, but they showed high false-positive ratios
when the normal activities are diverse and unpredictable. Specification-based
approaches are similar to anomaly detection, but they are based on manually
developed specifications that capture legitimate (rather than previously seen)
system behaviors. They avoid high false alarm rates caused by legitimate but
unseen behavior in the anomaly detection approach. Their drawback lies in more
time-consumption as they develop detailed specifications. Thus, one has to
trade off specification development effort for increased false negatives (i.e.,
likelihood that some attacks may be missed). Heuristic approaches for detection
in PCs include semantics-based, visualization-based, social network based,
entropy based, cryptographic based, difference equation based, kernel based
detection approaches. For detection in mobile, immune system-based, memory
acquisition-based, suspicious API call patterns, differential fault analysis approach,
Intercomponent communications are the approaches that comes under heuristic
category.
Much research has been conducted on developing automatic malware classification systems using data mining and
machine-learning approaches. However, due to various stealth techniques
designed by malware authors, most malwares remain undetectable.

 

Organization

This paper presents a detailed insight
on malware analysis in both the Personal Computer (PC) domain and the mobile
domain, based on literature survey done from 1987. First, the various forms of
malware and the impact of malware in PC and mobile phones are discussed. Also,
their prevalence in most used operating systems such as Windows (for PCs) and
Android (for mobile) is focused. Second, the literature survey explaining the
contemporary detection approaches are compared with the ancient approaches and
their advantages and disadvantages are discussed. Finally, research questions
and findings are discussed, giving key ideas for malware researchers to develop
a more robust and efficient detection approach, to improve protection and
reduce risks, applicable to real-world scenario.