Abusing file processing in malware detectors for fun and profit

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 80-94

  Jana, Suman ^a   Shmatikov, Vitaly ^a  

^a UNIVERSITY OF TEXAS AT AUSTIN   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

VIRUSES;

ANTI VIRUS; BLACK BOXES; FILE PROCESSING; FILE TYPES; MALICIOUS CODES; MALWARES; MANUAL ANALYSIS; SIMPLE++; TYPE INFERENCES; WEAKEST LINKS;

COMPUTER VIRUSES;

EID: 84876950829     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.15     Document Type: Conference Paper

References (39)

1. S. Alvarez. Antivirus insecurity. http://events.ccc.de/camp/2007/ Fahrplan/attachments/1324-AntivirusInSecuritySergioshadownAlvarez.pdf, 2007.
2. S. Alvarez and T. Zoller. The death of AV defense in depth? - revisiting anti-virus software. http://cansecwest.com/csw08/csw08-alvarez.pdf, 2008.
3. avast! Anti-virus engine malformed ZIP/CAB archive virus detection bypass. http://secunia.com/advisories/17126/, 2005.
4. A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In S&P, 2009.
5. D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In WWW, 2010.
6. D. Brumley, J. Caballero, Z. Liang, J. Newsome, and D. Song. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In USENIX Security, 2007.
7. C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008.
8. X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In DSN, 2008.
9. ClamAV. http://www.clamav.net.
10. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=evasion, 2012.
11. EICAR - The Anti-Virus or Anti-Malware Test File. http://www.eicar.org/ anti-virus-test-file.htm.
12. T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In NDSS, 2003.
13. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In NDSS, 2003.
14. M. Gavin. Recognizing corrupt and malformed PDF files. http://labs.appligent.com/presentations/recognizing-malformed-pdf-f.pdf.
15. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In USENIX Security, 2011.
16. M. Hypponen. Retroviruses - how viruses fight back. http://www.hypponen. com/staff/hermanni/more/papers/retro.htm, 1994.
17. G. Kessler. File signatures table. http://www.garykessler.net/library/ file-sigs.html, 2012.
18. McAfee VirusScan vulnerability. http://www.pc1news.com/news/0665/ mcafeevirusscanvulnerability-allow-compressed-archives-to-bypass-the-scan- engine.html, 2009.
19. J. Nazario. Mime sniffing and phishing. http://http://asert. arbornetworks.com/2009/03/mime-sniffing-and-phishing/, 2009.
20. J. Oberheide, M. Bailey, and F. Jahanian. PolyPack: An automated online packing service for optimal antivirus evasion. In WOOT, 2009.
21. J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-version antivirus in the network cloud. In USENIX Security, 2008.
22. J. Oberheide and F. Jahanian. Remote fingerprinting and exploitation of mail server antivirus engines. http://jon.oberheide.org/files/umich09-mailav. pdf, 2009.
23. Microsoft patch breaks Impress/PowerPoint compatibility. http://user.services.openoffice.org/en/forum/viewtopic.php?t=36515, 2010.
24. OpenOffice-MS interoperability bugs. http://openoffice.org/bugzilla/ buglist.cgi?keywords=ms-interoperability, 2011.
25. W. Palant. The hazards of MIME sniffing. http://adblockplus.org/blog/the- hazards-of-mime-sniffing, 2007.
26. S. Porst. How to really obfuscate your PDF malware. http://www.recon.cx/ 2010/slides/recon-2010-sebastian-porst.pdf, 2010.
27. T. Ptacek and T. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection, 1998.
28. T. Scholte, D. Balzarotti, and E. Kirda. Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications. In FC, 2011.
29. C. Sheehan. Pimp my PE: Parsing malicious and malformed executables. http://research.sunbelt-software.com/ViperSDK/Pimp%20My%20PE.ppt, 2007.
30. IE content-type logic. http://blogs.msdn.com/b/ie/archive/2005/02/01/ 364581.aspx, 2005.
31. P. Ször and P. Ferrie. Hunting for metamorphic. http://www.symantec. com/avcenter/reference/hunting.for.metamorphic.pdf.
32. Virus Total. http://www.virustotal.com.
33. VX Heavens. http://vx.netlux.org/vl.php.
34. R. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT, 2007.
35. J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in Web application frameworks. In ESORICS, 2011.
36. A. Wheeler and N. Mehta. 0wning antivirus. http://www.blackhat.com/ presentations/bh-europe-05/bh-eu-05-wheeler-mehta-up.pdf, 2005.
37. F. Xue. Attacking antivirus. http://www.blackhat.com/presentations/bh- europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf, 2008.
38. Anti-virus software may not properly scan malformed zip archives. http://www.kb.cert.org/vuls/id/968818, 2005.
39. Musing on information security. http://blog.zoller.lu/search/label/ Advisory, 2009.