Paper published in a book (Scientific congresses, symposiums and conference proceedings)
A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs
Genç, Ziya Alper; Lenzini, Gabriele; Sgandurra, Daniele
2019In Proceedings of the 35th Annual Computer Security Applications Conference
Peer reviewed
 

Files


Full Text
gls2019.pdf
Author postprint (1.23 MB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Antivirus; Ransomware; Evasion; Vulnerability; Simulated Inputs
Abstract :
[en] To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs' protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Disciplines :
Computer science
Author, co-author :
Genç, Ziya Alper ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Lenzini, Gabriele ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Sgandurra, Daniele
External co-authors :
yes
Language :
English
Title :
A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs
Publication date :
2019
Event name :
The 35th Annual Computer Security Applications Conference (ACSAC '19)
Event organizer :
Applied Computer Security Associates (ACSA)
Event place :
San Juan, PR, United States
Event date :
December 9-13, 2019
Audience :
International
Main work title :
Proceedings of the 35th Annual Computer Security Applications Conference
Publisher :
ACM, New York, United States
ISBN/EAN :
978-1-4503-7628-0
Pages :
456-465
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
European Projects :
H2020 - 779391 - FutureTPM - Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module
FnR Project :
FNR13234766 - No More Cryptographic Ransomware, Proof Of Concept, 2018 (01/11/2018-31/01/2021) - Gabriele Lenzini
Funders :
FNR - Fonds National de la Recherche [LU]
CE - Commission Européenne [BE]
Available on ORBilu :
since 27 January 2020

Statistics


Number of views
145 (8 by Unilu)
Number of downloads
512 (6 by Unilu)

Scopus citations®
 
4
Scopus citations®
without self-citations
2
OpenCitations
 
3

Bibliography


Similar publications



Contact ORBilu