Abusing file processing in malware detectors for fun and profit

  • Jana S
  • Shmatikov V
  • 88


    Mendeley users who have this article in their library.
  • 34


    Citations of this article.


We systematically describe two classes of evasion exploits against automated malware detectors. Chameleon at- tacks confuse the detectors’ file-type inference heuristics, while werewolf attacks exploit discrepancies in format-specific file parsing between the detectors and actual operating systems and applications. These attacks do not rely on obfuscation, metamorphism, binary packing, or any other changes to malicious code. Because they enable even the simplest, easily detectable viruses to evade detection, we argue that file pro- cessing has become the weakest link of malware defense. Using a combination of manual analysis and black-box differential fuzzing, we discovered 45 new evasion exploits and tested them against 36 popular antivirus scanners, all of which proved vulnerable to various chameleon and werewolf attacks. I.

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Suman Jana

  • Vitaly Shmatikov

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free