Feature-distributed malware attack: Risk and defence

Abstract

Modern computing platforms have progressed to more secure environments with various defensive techniques such as application-based permission and application whitelisting. In addition, anti-virus solutions are improving their detection techniques, especially based on behavioural properties. To overcome these hurdles, the adversary has been developing malware techniques including the use of legitimate digital certificates; hence it is important to explore possible offensive techniques in a security-improved environment. In this paper, first we propose the new technique of feature-distributed malware that dynamically distributes its features to multiple software components in order to bypass various security mechanisms such as application whitelisting and anti-virus' behavioural detection. To evaluate our approach, we have implemented a tool that automatically generates such malware instances, and have performed a series of experiments showing the risks of such advanced malware. We also suggest an effective defence mechanism. It prevents loading of malicious components by utilising digital certificates of software components. We have implemented a Windows service that provides our defence mechanism, and evaluated it against the proposed malware. Another useful characteristic of our defence is that it is capable of blocking general abuse of legitimate digital certificates with dynamic software component loading. © 2014 Springer International Publishing Switzerland.