Categories of Evasion Techniques

Categories of Evasion Techniques Evasion techniques The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding. The evasion techniques can be classified into three broad categories, namely, anti-security techniques, anti-sandbox techniques and anti-analyst techniques. Anti-security techniques These techniques are used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment. Anti-sandbox techniques These techniques are used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox. Anti-analyst techniques These techniques are used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering. Some advanced malware samples employ two or three of these techniques together. For example, malware can use a technique like RunPE (which runs another process of itself in memory) to evade antimalware software, a sandbox, or an analyst. Some malware detects a specific registry key related to a virtual environment, allowing the threat to evade an automatic sandbox as well as an analyst attempting to dynamically run the suspected malware binary in a virtual machine. It is important for security researchers to understand these evasion techniques to ensure that security technologies remain viable. Malware detection on mobile devices The basic differences between a PC and mobile device are constrained in terms of computation power, memory and limited battery resources. The targeted exploits of mobile malware are also significantly different from those on PC due to the differences in operating systems and hardware. For e.g. Majority of mobile devices are based on the ARM architecture. Hence, we need to provide due consideration when using the PC based methods for mobile devices. The detection method must use memory and computational resources efficiently and not drain the device battery. The detection method must be cost-efficient to update over the wireless network. There are two general ways of protecting the mobile device. One is to offer protection at the device level and the other is to offer protection at the network level by inspecting packets destined for the device. Device based protection detects and cleans malware including viruses, Trojans and spyware that are installed on the device whereas network based protection looks to detect and prevent intrusions in the network. Malware Analysis Classification All classification approaches taken in the literature can basically be categorized into two types: (i) based on features drawn from an unpacked static version of the executable file and (ii) based on dynamic features of the packed executable file. These approaches are further classified into signature based, behavior based, hybrid based and machine learning based approaches. Signature based approaches are simple and capable to operate online in real time. They detect only known malwares and are not useful for detecting new, unknown and stealthy malwares. They are less powerful with respect to evasion techniques (i.e) obfuscation transformations can easily defeat signature-based detection mechanisms. A signature matching algorithm is well suited for use in mobile device scanning due to its low memory requirements. Behavior based approaches are designed for analyzing the malwares dynamically, thereby allowing it to detect unknown malwares efficiently. They rely on system call sequences/graphs to model a malicious specification/pattern. Behavior-based methods and machine learning methods are dynamic approaches. Anomaly-based approaches, also known as profile-based approaches, profile the statistical features of normal traffic. Any deviation from the profile will be treated as suspicious. They detect previously unknown attacks, but they showed high false-positive ratios when the normal activities are diverse and unpredictable. Specification-based approaches are similar to anomaly detection, but they are based on manually developed specifications that capture legitimate (rather than previously seen) system behaviors. They avoid high false alarm rates caused by legitimate but unseen behavior in the anomaly detection approach. Their drawback lies in more time-consumption as they develop detailed specifications. Thus, one has to trade off specification development effort for increased false negatives (i.e., likelihood that some attacks may be missed). Heuristic approaches for detection in PCs include semantics-based, visualization-based, social network based, entropy based, cryptographic based, difference equation based, kernel based detection approaches. For detection in mobile, immune system-based, memory acquisition-based, suspicious API call patterns, differential fault analysis approach, Intercomponent communications are the approaches that comes under heuristic category. Much research has been conducted on developing automatic malware classification systems using data mining and machine-learning approaches. However, due to various stealth techniques designed by malware authors, most malwares remain undetectable. Organization This paper presents a detailed insight on malware analysis in both the Personal Computer (PC) domain and the mobile domain, based on literature survey done from 1987. First, the various forms of malware and the impact of malware in PC and mobile phones are discussed. Also, their prevalence in most used operating systems such as Windows (for PCs) and Android (for mobile) is focused. Second, the literature survey explaining the contemporary detection approaches are compared with the ancient approaches and their advantages and disadvantages are discussed. Finally, research questions and findings are discussed, giving key ideas for malware researchers to develop a more robust and efficient detection approach, to improve protection and reduce risks, applicable to real-world scenario.