Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Malware
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Detection== Antivirus software typically uses two techniques to detect malware: (i) static analysis and (ii) dynamic/heuristic analysis.<ref name=":8">{{Cite journal|last1=Si̇ngh|first1=Jagsir|last2=Si̇ngh|first2=Jaswinder|date=2018-09-01|title=Challenge of Malware Analysis: Malware obfuscation Techniques|url=https://dergipark.org.tr/en/pub/ijiss/issue/67171/1048753|journal=International Journal of Information Security Science|language=en|volume=7|issue=3|pages=100–110|access-date=10 January 2023|archive-date=10 January 2023|archive-url=https://web.archive.org/web/20230110063749/https://dergipark.org.tr/en/pub/ijiss/issue/67171/1048753|url-status=live}}</ref> Static analysis involves studying the software code of a potentially malicious program and producing a signature of that program. This information is then used to compare scanned files by an antivirus program. Because this approach is not useful for malware that has not yet been studied, antivirus software can use dynamic analysis to monitor how the program runs on a computer and block it if it performs unexpected activity. The aim of any malware is to conceal itself from detection by users or antivirus software.<ref name=":4" /> Detecting potential malware is difficult for two reasons. The first is that it is difficult to determine if software is malicious.<ref name=":5" /> The second is that malware uses technical measures to make it more difficult to detect it.<ref name=":8" /> An estimated 33% of malware is not detected by antivirus software.<ref name=":7" /> The most commonly employed anti-detection technique involves encrypting the malware payload in order to prevent antivirus software from recognizing the signature.<ref name=":5" /> Tools such as crypters come with an encrypted blob of malicious code and a decryption stub. The stub decrypts the blob and loads it into memory. Because antivirus does not typically scan memory and only scans files on the drive, this allows the malware to evade detection. Advanced malware has the ability to transform itself into different variations, making it less likely to be detected due to the differences in its signatures. This is known as polymorphic malware. Other common techniques used to evade detection include, from common to uncommon:<ref name=":9" /> (1) evasion of analysis and detection by [[Fingerprint (computing)|fingerprinting]] the environment when executed;<ref>{{cite conference|title=Barecloud: bare-metal analysis-based evasive malware detection|last1=Kirat|first1=Dhilung|last2=Vigna|first2=Giovanni|last3=Kruegel|first3=Christopher|date=2014|publisher=ACM|pages=287–301|isbn=978-1-931971-15-7|url=https://dl.acm.org/citation.cfm?id=2671244|url-access=subscription|access-date=28 November 2018|archive-date=1 August 2019|archive-url=https://web.archive.org/web/20190801213541/https://dl.acm.org/citation.cfm?id=2671244|url-status=live}} <br /> Freely accessible at: {{cite web|title=Barecloud: bare-metal analysis-based evasive malware detection|url=https://seclab.cs.ucsb.edu/media/uploads/papers/kirat_barecloud_usenix_2014.pdf|access-date=28 November 2018|archive-date=4 March 2016|archive-url=https://web.archive.org/web/20160304013726/https://seclab.cs.ucsb.edu/media/uploads/papers/kirat_barecloud_usenix_2014.pdf|url-status=dead}}</ref> (2) confusing automated tools' detection methods. This allows malware to avoid detection by technologies such as signature-based antivirus software by changing the server used by the malware;<ref name=":9">[http://www.tripwire.com/state-of-security/security-data-protection/the-four-most-common-evasive-techniques-used-by-malware/ The Four Most Common Evasive Techniques Used by Malware] {{Webarchive|url=https://web.archive.org/web/20210529160838/https://www.tripwire.com/state-of-security/security-data-protection/the-four-most-common-evasive-techniques-used-by-malware/|date=29 May 2021}}. 27 April 2015.</ref> (3) timing-based evasion. This is when malware runs at certain times or following certain actions taken by the user, so it executes during certain vulnerable periods, such as during the boot process, while remaining dormant the rest of the time; (4) [[Obfuscation (software)|obfuscating]] internal data so that automated tools do not detect the malware;<ref>{{cite conference|last1=Young|first1=Adam|last2=Yung|first2=Moti|date=1997|title=Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage|publisher=IEEE|pages=224–235|isbn=0-8186-7828-3|book-title=Symp. on Security and Privacy}}</ref> (v) information hiding techniques, namely [[stegomalware]];<ref>{{cite journal|last1=Cabaj|first1=Krzysztof|last2=Caviglione|first2=Luca|last3=Mazurczyk|first3=Wojciech|last4=Wendzel|first4=Steffen|last5=Woodward|first5=Alan|last6=Zander|first6=Sebastian|date=May 2018|title=The New Threats of Information Hiding: The Road Ahead|journal=IT Professional|volume=20|issue=3|pages=31–39|arxiv=1801.00694|doi=10.1109/MITP.2018.032501746|s2cid=22328658}}</ref> and (5) fileless malware which runs within memory instead of using files and utilizes existing system tools to carry out malicious acts. The use of existing binaries to carry out malicious activities is a technique known as LotL, or Living off the Land.<ref>{{Cite journal|last1=Sudhakar|last2=Kumar|first2=Sushil|date=2020-01-14|title=An emerging threat Fileless malware: a survey and research challenges|journal=Cybersecurity|volume=3|issue=1|pages=1|doi=10.1186/s42400-019-0043-x|s2cid=257111442|issn=2523-3246|doi-access=free}}</ref> This reduces the amount of forensic artifacts available to analyze. Recently these types of attacks have become more frequent with a 432% increase in 2017 and makeup 35% of the attacks in 2018. Such attacks are not easy to perform but are becoming more prevalent with the help of exploit-kits.<ref>{{Cite journal|url=https://webaccess.psu.edu/?cosign-scripts.libraries.psu.edu&https%3A%2F%2Fscripts.libraries.psu.edu%2Fscripts%2Fezproxyauth.php%3Furl=ezp.2aHR0cHM6Ly9kbC5hY20ub3JnL2RvaS8xMC4xMTQ1LzMzNjUwMDE-|title=Penn State WebAccess Secure Login|website=webaccess.psu.edu|doi=10.1145/3365001|s2cid=219884145|access-date=2020-02-29|doi-access=|archive-date=8 March 2021|archive-url=https://web.archive.org/web/20210308133613/https://webaccess.psu.edu/?cosign-scripts.libraries.psu.edu&https%3A%2F%2Fscripts.libraries.psu.edu%2Fscripts%2Fezproxyauth.php%3Furl=ezp.2aHR0cHM6Ly9kbC5hY20ub3JnL2RvaS8xMC4xMTQ1LzMzNjUwMDE-|url-status=dead}}</ref><ref>{{Cite web|url=https://www.researchgate.net/publication/328758559|title=Malware Dynamic Analysis Evasion Techniques: A Survey|website=ResearchGate|language=en|access-date=2020-02-29|archive-date=14 April 2021|archive-url=https://web.archive.org/web/20210414031228/https://www.researchgate.net/publication/328758559|url-status=live}}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Malware
(section)
Add topic
