{"id":398,"date":"2012-10-04T19:49:59","date_gmt":"2012-10-04T19:49:59","guid":{"rendered":"http:\/\/digitalfire.ucd.ie\/?p=398"},"modified":"2013-03-10T03:46:07","modified_gmt":"2013-03-10T03:46:07","slug":"evasion-resistant-malware-signature-based-on-profiling-kernel-data-structure-objects","status":"publish","type":"post","link":"https:\/\/dfire.ucd.ie\/?p=398","title":{"rendered":"Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects"},"content":{"rendered":"<p><a href=\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-399\" title=\"shutterstock_41492986\" src=\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-300x300.jpg\" alt=\"\" width=\"300\" height=\"300\" srcset=\"https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-300x300.jpg 300w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-150x150.jpg 150w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-96x96.jpg 96w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-24x24.jpg 24w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-36x36.jpg 36w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-48x48.jpg 48w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986-64x64.jpg 64w, https:\/\/dfire.ucd.ie\/wp-content\/uploads\/2012\/10\/shutterstock_41492986.jpg 1000w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the\u00a0syntax of the code while preserving its execution\u00a0semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this paper, we propose a novel\u00a0approach to the development of evasion-resistant malware signatures.\u00a0The idea is that the signature is based on the malware\u2019s execution profile\u00a0extracted from the OS kernel data structure objects rather than on syntactic information. As a result, the signature is more resistant to malware obfuscation techniques and is more resilient in detecting malicious code\u00a0variants.<\/p>\n<p>To evaluate the effectiveness of the proposed approach,\u00a0a prototype signature generation tool called SigGENE was\u00a0developed. The effectiveness of signatures generated by SigGENE was evaluated using an experimental root kit-simulation tool that\u00a0employs obfuscation techniques commonly found in rootkits. \u00a0In further\u00a0experiments, different syntactic variants of the same real-world malware have been used to verify the real-world\u00a0applicability of the proposed approach. The experiments show that the\u00a0proposed approach is effective not only in generating signatures that detect malware and its variants, but also in producing execution profiles\u00a0that can be used to characterize different malicious attacks.<\/p>\n<p>Paper [<a href=\"http:\/\/digitalfire.ucd.ie\/wp-content\/uploads\/2012\/09\/Evasion-Resistance-Signature.pdf\">Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects<\/a>].<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the\u00a0syntax of the code while preserving its execution\u00a0semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":399,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,34],"tags":[],"class_list":["post-398","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","category-dfire-publications"],"_links":{"self":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/398"}],"collection":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=398"}],"version-history":[{"count":12,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions"}],"predecessor-version":[{"id":842,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions\/842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/media\/399"}],"wp:attachment":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}