Resilience of Anti-Malware Programs to Naïve Modifications of Malicious Binaries presented at JISIC 2014

by Yuval Elovici, Mordechai Guri, Gabi Kedma, Assaf Kachlon,

Summary : The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field
detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a
suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is
dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect
simple variants. In this paper we discuss 'naïve' variants which can be produced by a modestly skilled individual with
publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be
derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will.
Modification can be automated, to produce large amounts of variants in short time. We describe several naïve
modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average
detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at
least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the
context of malware detection.