See discussions, stats, and author profiles for this publication at: http://www.researchgate.net/publication/274249693 Evaluating malwares obfuscation techniques against antimalware detection algorithms TECHNICAL REPORT · MARCH 2015 DOWNLOADS 50 VIEWS 15 2 AUTHORS: Corrado Aaron Visaggio Università degli Studi del Sannio 63 PUBLICATIONS 423 CITATIONS SEE PROFILE Francesco Mercaldo Università degli Studi del Sannio 12 PUBLICATIONS 3 CITATIONS SEE PROFILE Available from: Corrado Aaron Visaggio Retrieved on: 14 July 2015
27
Embed
Evaluating malwares obfuscation techniques against antimalware detection algorithms · 2015-10-05 · Evaluating malwares obfuscation techniques against antimalware detection algorithms
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
2
Evaluating malwares obfuscation techniques against antimalware detection algorithms
3
A QUICK OVERVIEW Everyday more than 1 million new Android devices are activated worldwide. This trend has decreed Android the most diffuse middleware for mobile platform. Google Play is the premier marketplace for selling and distributing Android apps and it shows incredible numbers: 1.5 billion downloads at month! Everyone agrees that Android is an incredible success, but are people sure to store their data on their android devices? This success has seen an always-growing Android malware writer interest. As a main point of this technical report we pose following question : are the actual signature based detection algorithms effective on mobile environments? We developed a framework which applies a set of transformations to Android applications smali code. We then transformed a real world malware data-set (available at: http://user.informatik.uni-goettingen.de/~darp/drebin/) and then we submitted the applications to the website www.virustotal.com, in order to evaluate the maliciousness before and after the transformations (we submitted every sample pre and post transformation process). The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware). The transformation engine is released for the scientific community with the open source license at the following url: https://github.com/faber03/AndroidMalwareEvaluatingTools
TRANSFORMATIONS We developed a transformation engine for android malware (available at: https://github.com/faber03/AndroidMalwareEvaluatingTools ), which consists of the following transformations: 1) Disassembling & Reassembling: This transformation is based on the apktool representation of the items contained in the .dex file. For disassembling an application, the command “apktool d apkname” creates several directories representing the original application resources: code, android manifest, etc. The command ”apktool b apkDirectory” creates an application based on the new apktool dex file representation. 2) Repacking Every android application has a developer signature key that will be lost after disassembling the application and then reassembling it. To create a new key we used the tool signapk to avoid detection signatures that match the developer
keys or a checksum of the entire application package.
3) Changing package name This transformation change the application package name with a random string. 4) Identifier Renaming:
Evaluating malwares obfuscation techniques against antimalware detection algorithms
4
The goal of this transformation is to rename every identifier (classes name, packages name, methods name, variables name etc…). In this case the transformation changes package name and classes identifier, for each smali file, using a random string generator, handling calls in external classes to the modified classes. Android manifest Pre-transformation
Android manifest Post-transformation
Class name Pre-transformation Class name Post-transformation
Class call and package name Pre-Transformation
Class call and package name Post-transformation
5) Data Encoding: Strings can be used to create signatures that identify malwares. This transformation encodes strings with a Caesar cipher. The original string will be restored, during application run-time, with a call to a smali function that knows the Caeser key.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
5
This function has been created from a java class inserted into an android project and then the smali has been obtained thanks to apktool disassembling function. Pre-transformation string
Post-transformation string
6) Call indirections: This transformation modifies the application call graph. Into the smali code every call is changed with a call to a new method inserted by the transformation. This new method calls the original method saving the right execution order. The transformation can be applied to every kind of call, in this case it has been applied to every void smali method invoked with the “invoke-virtual” construct. Pre-transformation
Post-transformation
7) Code Reordering: The aim of this transformation is to reorder smali methods by inserting goto instructions in order to save the correct runtime execution. Every method has been changed with a new method where every instruction has been moved to a random index within the method body. The transformation has been applied only to methods that don’t contain any type of jump (if, switch, recursive calls).
Evaluating malwares obfuscation techniques against antimalware detection algorithms
6
Pre-transformation
Post-transformation
8) Junk Code Insertion: This transformation provides three different junk code insertions:
1) Insertion of nop instructions into each method. 2) Insertion of nop instructions and unconditional jumps into each
method.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
7
3) Allocation of three additional registers on which garbage operations are performed:
This is smali method before inserting any junk code.
This is the same method after nop insertion. (Type 1)
This is a method with nop and unconditional junk instructions (Type 2)
Evaluating malwares obfuscation techniques against antimalware detection algorithms
8
The two following screens show the same method before and after junk code insertion of Type 3 9) Composite Transformations: All the transformations combined.
Remark: The samples submitted to VirusTotal present a transformation level equal to 9.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
9
THE TRANSFORMATION TOOL We developed a tool that can be used to select one application or a directory containing several applications.
Framework UI 1: in this case a single apk has been selected
The developed tool offers also an easy way to retrieve results after submitting transformed samples to VirusTotal engine:
THE RESULTS OF EXPERIMENT We worked on a data-set, composed of 5560 malwares belonging to 178 different malware families. We applied all the transformations combined together on the malware data-set.
Anti-malwares results In the following table, first column represents the Anti-Malware , the second the number of samples (without transformations) correctly detected by the
Evaluating malwares obfuscation techniques against antimalware detection algorithms
10
antimalware while in the third column (in red) the number of correctly detected samples after transformation process.
Alibaba 565 578
F-Secure 4723 4767
AVG 4734 4432
ESET-NOD32 4550 4169
Avira 4749 4054
AhnLab-V3 4615 3934
Sophos 4719 3875
GData 4747 3853
BitDefender 4735 3848
Ad-Aware 4726 3843
Emsisoft 4594 3725
MicroWorld-eScan 4642 3782
NANO-Antivirus 4716 3702
Kaspersky 4689 3543
Avast 4175 3338
DrWeb 4610 3240
CAT-QuickHeal 3967 2962
Ikarus 4467 2715
VIPRE 4767 2093
AVware 4636 2034
Microsoft 2437 1937
Fortinet 4458 1920
AegisLab 2988 1074
ClamAV 2122 1637
Cyren 4766 1629
Rising 2042 1544
Symantec 3255 1391
TrendMicro-HouseCall 3953 1292
Comodo 4711 1268
Qihoo-360 4486 1116
Evaluating malwares obfuscation techniques against antimalware detection algorithms
11
TrendMicro 3392 1080
Tencent 4522 728
McAfee 4784 600
Zillya 646 557
Jiangmin 4255 547
VBA32 2420 536
F-Prot 4692 505
Zoner 3933 389
Kingsoft 4267 367
K7GW 221 15
Baidu-International 4157 222
Norman 1058 218
ALYac 114 121
TotalDefense 1960 207
McAfee-GW-Edition 320 135
Agnitum 425 119
ViRobot 116 112
Panda 185 97
Antiy-AVL 83 82
nProtect 59 59
K7AntiVirus 150 36
TheHacker 8 2
ByteHero 0 0
Bkav 740 0
CMC 2 0
Malwarebytes 0 0
SUPERAntiSpyware 2 0
MALWARE FAMILY RESULTS
Evaluating malwares obfuscation techniques against antimalware detection algorithms
12
In the following table the results regarding the family malware are shown: the first column represents the malware family, the second the number of malwares belonging to the malware-family which are considered trusted before transformation, while in the third column the number of malwares belonging to a specific malware-family which are considered trusted after transformation.
SerBG 0 3
UpdtKiller 0 1
FakePlayer 0 17
Spy.GoneSixty 0 1
Updtbot 0 1
Bgserv 1 1
FakeRun 0 10
AccuTrack 1 10
Booster 0 1
Nyleaker 5 18
TigerBot 0 3
DroidSheep 0 11
Vidro 0 5
Proreso 0 2
Rooter 0 3
LifeMon 0 3
Sonus 0 1
Dougalek 0 17
Gmuse 0 3
Dialer 0 2
Fakengry 0 10
Arspam 0 1
Saiva 0 2
Moghava 2 3
Nisev 0 4
GPSpy 0 3
Fauxcopy 1 2
Evaluating malwares obfuscation techniques against antimalware detection algorithms
13
Lemon 0 6
Aks 0 5
Cawitt 0 1
Maxit 0 1
SpyPhone 2 5
PdaSpy 0 4
QPlus 0 6
FakeDoc 0 43
Mobilespy 0 13
Fakeview 0 1
Spitmo 0 11
Loozfon 0 2
TrojanSMS.Boxer.AQ 0 1
Penetho 1 18
SmsWatcher 3 3
Replicator 0 3
TrojanSMS.Stealer 0 1
Coogos 0 7
Tapsnake 0 3
SmForw 1 2
Raden 0 9
Koomer 0 2
Copycat 2 3
Kidlogger 1 6
Maistealer 0 1
Yzhc 0 25
SheriDroid 1 2
Gappusin 48 53
Spyset 0 8
Antares 0 2
Evaluating malwares obfuscation techniques against antimalware detection algorithms
14
SMSreg 7 36
TrojanSMS.Denofow 5 5
SuBatt 0 1
Luckycat 0 5
Lypro 0 1
Kiser 8 9
Fsm 0 3
Typstu 0 14
GlodEagl 0 1
SafeKidZone 1 1
Zsone 0 8
Hispo 0 3
RATC 1 1
Ksapp 0 5
MTracker 1 1
RediAssi 0 3
Netisend 0 1
Boxer 1 18
RootSmart 0 7
TrojanSMS.Hippo 5 7
Mobinauten 0 8
SpyMob 1 2
Whapsni 0 1
Nandrobox 0 7
TheftAware 2 2
Spy.ImLog 0 1
Nickspy 0 11
Generic 2 2
SMSSend 0 1
Glodream 0 49
Evaluating malwares obfuscation techniques against antimalware detection algorithms
15
MMarketPay 0 1
CrWind 0 2
FoCobers 4 15
FakeNefix 0 1
FaceNiff 1 6
SpyBubble 0 2
SMSBomber 0 1
Mania 1 6
Ssmsp 0 1
Dabom 0 2
Opfake 2 608
Gasms 0 1
SendPay 1 56
Spyoo 0 3
EWalls 0 1
Fjcon 0 2
Fakelogo 0 19
Tesbo 0 2
Ackposts 0 2
Smspacem 0 1
Iconosys 1 142
Gapev 0 6
YcChar 0 1
SpyHasb 7 11
FarMap 0 2
Ansca 0 1
Pirates 0 2
Cosha 0 11
Pirater 0 1
Imlog 1 42
Evaluating malwares obfuscation techniques against antimalware detection algorithms
16
DroidRooter 0 2
Foncy 0 2
Adsms 0 3
Biige 0 4
Qicsom 0 1
Vdloader 0 13
GGtrack 0 3
Sakezon 8 8
FinSpy 0 3
Gonca 0 5
CgFinder 0 2
MobileTx 0 68
Placms 0 11
SmsSpy 0 1
Trackplus 1 1
Zitmo 0 14
RuFraud 0 1
BeanBot 0 6
PJApps 0 1
FakeTimer 0 11
Acnetdoor 0 1
FakeInstaller 1 918
Plankton 59 554
GinMaster 0 268
Geinimi 0 82
DroidDream 0 73
Adrd 0 70
Jifake 0 26
Stealer 0 13
Stiniter 2 6
Evaluating malwares obfuscation techniques against antimalware detection algorithms
17
Fidall 0 2
Kmin 7 59
JSmsHider 1 1
Dogowar 0 1
Gamex 1 3
EICAR-Test-File 1 2
SMSZombie 0 2
DroidKungFu 0 102
Xsider 0 1
BaseBridge 1 16
ExploitLinuxLotoor 0 2
Exploit.RageCage 0 0
In the following table we resume the details of the metrics we have calculated:
totalScans: the number of malwares analyzed by an antimalware both before transformations applied and after (transformations applied).
totalMaliciousPre: the number of malwares that before being transformed are considered malicious.
totalMaliciousPost: the number of malwares considered malicious after being transformed.
totalCleanPre: : the number of malwares that before being transformed are considered clean.
clean_on_total_pre%: the percentage of malwares considered clean on the total number of malwares, before transformations applied. (by a specific antimalware).
clean_on_total_post%: the percentage of malwares considered clean on the total number of malwares, after transformations applied. (by a specific antimalware)
totalCleanPost: the number of malwares considered clean after being transformed.
MTC_on_total%: the percentage of malwares considered malicious before transformations applied and clean after on the total number of analyzed malware
In our analysis we obtained a surprising result on a small group of anti-malwares (e.g: 46, 10, 31). These anti-malwares show a better performance in scanning transformed samples. The following table shows the results detailed for family: for each family it counts how many malwares are able to “fool” the majority of antimalware. Here we explain the metrics we have computed:
totalMalwares: the number of malwares belonging to a specific malware-family which have been analyzed both before and after being transformed at least by one antimalware.
passedMalwaresPre: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares before being transformed.
passedMalwaresPost: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares after being transformed.
passed_post_%:percentage of passedMalwarePost on totalMalwares .
Evaluating malwares obfuscation techniques against antimalware detection algorithms
Evaluating malwares obfuscation techniques against antimalware detection algorithms
21
35 Penetho 18 1 18 100.0000
103 SmsWatcher 3 3 3 100.0000
50 Replicator 3 0 3 100.0000
124 TrojanSMS.Stealer 1 0 1 100.0000
66 Coogos 7 0 7 100.0000
142 Tapsnake 3 0 3 100.0000
15 SmForw 2 1 2 100.0000
82 Raden 9 0 9 100.0000
160 Koomer 2 0 2 100.0000
31 Copycat 3 2 3 100.0000
99 Kidlogger 6 1 6 100.0000
177 Maistealer 1 0 1 100.0000
46 Yzhc 25 0 25 100.0000
116 SheriDroid 2 1 2 100.0000
61 Gappusin 53 48 53 100.0000
77 Spyset 8 0 8 100.0000
154 Antares 2 0 2 100.0000
27 SMSreg 36 7 36 100.0000
95 TrojanSMS.Denofow 5 5 5 100.0000
173 SuBatt 1 0 1 100.0000
42 Luckycat 5 0 5 100.0000
112 Lypro 1 0 1 100.0000
73 Kiser 9 8 9 100.0000
150 Fsm 3 0 3 100.0000
23 Typstu 14 0 14 100.0000
90 GlodEagl 1 0 1 100.0000
167 SafeKidZone 1 1 1 100.0000
38 Zsone 8 0 8 100.0000
53 Hispo 3 0 3 100.0000
128 RATC 1 1 1 100.0000
69 Ksapp 5 0 5 100.0000
145 MTracker 1 1 1 100.0000
85 RediAssi 3 0 3 100.0000
163 Netisend 1 0 1 100.0000
34 Boxer 18 1 18 100.0000
102 RootSmart 7 0 7 100.0000
49 TrojanSMS.Hippo 7 5 7 100.0000
123 Mobinauten 8 0 8 100.0000
65 SpyMob 2 1 2 100.0000
141 Whapsni 1 0 1 100.0000
14 Nandrobox 7 0 7 100.0000
Evaluating malwares obfuscation techniques against antimalware detection algorithms
22
81 TheftAware 2 2 2 100.0000
159 Spy.ImLog 1 0 1 100.0000
30 Nickspy 11 0 11 100.0000
98 Generic 2 2 2 100.0000
176 SMSSend 1 0 1 100.0000
45 Glodream 49 0 49 100.0000
115 MMarketPay 1 0 1 100.0000
135 CrWind 2 0 2 100.0000
76 FoCobers 15 4 15 100.0000
153 FakeNefix 1 0 1 100.0000
26 FaceNiff 6 1 6 100.0000
93 SpyBubble 2 0 2 100.0000
172 SMSBomber 1 0 1 100.0000
41 Mania 6 1 6 100.0000
111 Ssmsp 1 0 1 100.0000
131 Dabom 2 0 2 100.0000
6 Opfake 608 2 608 100.0000
149 Gasms 1 0 1 100.0000
22 SendPay 56 1 56 100.0000
89 Spyoo 3 0 3 100.0000
166 EWalls 1 0 1 100.0000
107 Fjcon 2 0 2 100.0000
52 Fakelogo 19 0 19 100.0000
126 Tesbo 2 0 2 100.0000
68 Ackposts 2 0 2 100.0000
144 Smspacem 1 0 1 100.0000
17 Iconosys 142 1 142 100.0000
84 Gapev 6 0 6 100.0000
162 YcChar 1 0 1 100.0000
33 SpyHasb 11 7 11 100.0000
101 FarMap 2 0 2 100.0000
48 Ansca 1 0 1 100.0000
122 Pirates 2 0 2 100.0000
64 Cosha 11 0 11 100.0000
138 Pirater 1 0 1 100.0000
13 Imlog 42 1 42 100.0000
80 DroidRooter 2 0 2 100.0000
156 Foncy 2 0 2 100.0000
29 Adsms 3 0 3 100.0000
97 Biige 4 0 4 100.0000
175 Qicsom 1 0 1 100.0000
Evaluating malwares obfuscation techniques against antimalware detection algorithms
23
44 Vdloader 13 0 13 100.0000
114 GGtrack 3 0 3 100.0000
59 Sakezon 8 8 8 100.0000
134 FinSpy 3 0 3 100.0000
75 Gonca 5 0 5 100.0000
152 CgFinder 2 0 2 100.0000
25 MobileTx 68 0 68 100.0000
92 Placms 11 0 11 100.0000
170 SmsSpy 1 0 1 100.0000
110 Trackplus 1 1 1 100.0000
55 Zitmo 14 0 14 100.0000
130 RuFraud 1 0 1 100.0000
71 BeanBot 6 0 6 100.0000
148 PJApps 1 0 1 100.0000
20 FakeTimer 11 0 11 100.0000
165 Acnetdoor 1 0 1 100.0000
5 FakeInstaller 919 1 918 99.8912
1 Plankton 555 59 554 99.8198
3 GinMaster 269 0 268 99.6283
11 Geinimi 83 0 82 98.7952
12 DroidDream 74 0 73 98.6486
9 Adrd 72 0 70 97.2222
60 Jifake 28 0 26 92.8571
56 Stealer 14 0 13 92.8571
18 Stiniter 9 2 6 66.6667
87 Fidall 3 0 2 66.6667
10 Kmin 95 7 59 62.1053
136 JSmsHider 2 1 1 50.0000
132 Dogowar 2 0 1 50.0000
108 Gamex 6 1 3 50.0000
40 EICAR-Test-File 4 1 2 50.0000
57 SMSZombie 10 0 2 20.0000
2 DroidKungFu 561 0 102 18.1818
72 Xsider 15 0 1 6.6667
7 BaseBridge 310 1 16 5.1613
37 ExploitLinuxLotoor 61 0 2 3.2787
178 Exploit.RageCage 1 0 0 0.0000
Only 21 families on 178 didn’t obtain the max of the score after the transformation applications.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
24
Conclusion In this section we summarize the main results of our experiment. Percentage ratio of antimalwares that detect as malicious more than 90% of the malwares that analyze.
Original malware set : 47% Transformed malware set: 7%
Percentage ratio of antimalwares that detect as malicious less than an half of the malwares that analyze.
Original malware set : 33% Transformed malware set: 68%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
original malwares' set transformed malwares'set
0%
10%
20%
30%
40%
50%
60%
70%
80%
original malwares' set transformed malwares'set
Evaluating malwares obfuscation techniques against antimalware detection algorithms
25
Percentage ratio of malwares considered trusted by at least an half of the antimalwares.
Original malware set : 5% Transformed malware set: 81%
Percentage of malwares family that are considered trusted by antimalware.
Original malware set : 6% Transformed malware set: 77%
The simple transformation of malwares can turn a known and recognizable malware into an undetectable malware. This should lead research and industry to develop detection mechanisms which are robust against this trivial evasion techniques. REFERENCES
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
original malwares' set transformed malwares'set
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
original malwares' set transformed malwares'set
Evaluating malwares obfuscation techniques against antimalware detection algorithms
26
[1] V. Rastogi, Y. Chen, X. Jiang, “Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks”, IEEE Transaction on Information Forensics and Security, Vol.9, No.1, January 2014 [2] Android, the world's most popular mobile platform, http://developer.android.com/about/index.html, last visit 26 March 2015 [3] A tool for reverse engineering Android apk files, http://ibotpeaches.github.io/Apktool/, last visit 26 March 2016 [4] VirusTotal, https://www.virustotal.com, last visit 26 March 2016 [5]signapk: onboard apk signing script for android devices, https://code.google.com/p/signapk/, last visit 26 March 2016