[en] To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs' protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Disciplines :
Computer science
Author, co-author :
GENÇ, Ziya Alper ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Sgandurra, Daniele
External co-authors :
yes
Language :
English
Title :
A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs
Publication date :
2019
Event name :
The 35th Annual Computer Security Applications Conference (ACSAC '19)
Event organizer :
Applied Computer Security Associates (ACSA)
Event place :
San Juan, PR, United States
Event date :
December 9-13, 2019
Audience :
International
Main work title :
Proceedings of the 35th Annual Computer Security Applications Conference
Mohsen Ahmadvand, Alexander Pretschner, and Florian Kelbert. 2019. A taxonomy of software integrity protection techniques. In Advances in Computers. Vol. 112. Elsevier, Cambridge, MA, USA, 413–486.
Mohammed I. Al-Saleh and Jedidiah R. Crandall. 2011. Application-level Reconnaissance: Timing Channel Attacks Against Antivirus Software. In Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats (LEET’11). USENIX Association, Berkeley, CA, USA, 9.
Chris Paget (alias Foon). 2002. Exploiting design flaws in the Win32 API for privilege escalation. Retrieved May 15, 2019 from https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html
Hyrum S. Anderson, Anant Kharkar, Bobby Filar, David Evans, and Phil Roth. 2018. Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning. arXiv:cs.CR/1801.08917
AV-TEST. 2019. The best antivirus software for Windows Home User. Retrieved June 10, 2019 from https://www.av-test.org/en/antivirus/home-windows/
D. E. Bell and L. J. La Padula. 1976. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306. Mitre Corporation.
Battista Biggio and Fabio Roli. 2018. Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, USA, 2154–2156. https://doi.org/10.1145/3243734.3264418
Iker Burguera, Urko Zurutuza, and Simin Nadjm-Tehrani. 2011. Crowdroid: Behavior-based Malware Detection System for Android. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’11). ACM, New York, NY, USA, 15–26. https://doi.org/10.1145/2046614.2046619
Mihai Christodorescu and Somesh Jha. 2004. Testing malware detectors. ACM SIGSOFT Software Engineering Notes 29, 4 (2004), 34–44.
Ian Goodfellow, Patrick McDaniel, and Nicolas Papernot. 2018. Making Machine Learning Robust Against Adversarial Inputs. Commun. ACM 61, 7 (June 2018), 56–66. https://doi.org/10.1145/3134599
Andy Greenberg. 2019. Another Mac Bug Lets Hackers Invisibly Click Security Prompts. Retrieved June 10, 2019 from https://www.wired.com/story/applemacos-bug-synthetic-clicks/
IT Services of Mitchell Hamline School of Law. 2017. Technology Notice – Disable Antivirus before using Examplify. Retrieved May 31, 2019 from https://mitchellhamline.edu/technology/2017/12/03/technologynotice-disable-antivirus-before-using-examplify/
S. Josefsson. 2006. The Base16, Base32, and Base64 Data Encodings. RFC 4648. RFC Editor. http://www.rfc-editor.org/rfc/rfc4648.txt http://www.rfc-editor.org/rfc/rfc4648.txt.
Dhilung Kirat and Giovanni Vigna. 2015. MalGene: Automatic Extraction of Malware Analysis Evasion Signature. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, USA, 769–780.
Joxean Koret. 2014. Breaking Antivirus Software. Retrieved June 10, 2019 from http://joxeankoret.com/download/breaking_av_software_44con.pdf
Joxean Koret. 2016. AV: Additional Vulnerabilities. Retrieved June 10, 2019 from https://www.hoystreaming.com/wp-content/uploads/2016/03/hb_bilbo.pdf
Joxean Koret and Elias Bachaalany. 2015. The Antivirus Hacker’s Handbook. John Wiley & Sons, Indianapolis, IN, USA.
S. Maruyama, S. Wakabayashi, and T. Mori. 2019. Tap’n Ghost: A Compilation of Novel Attack Techniques against Smartphone Touchscreens. In 2019 2019 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 628–645.
Alana Maurushat. 2013. Disclosure of Security Vulnerabilities: Legal and Ethical Issues. Springer-Verlag London, London.
Microsoft. 2019. Driver security checklist. Retrieved June 10, 2019 from https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/driver-security-checklist
NIST. 2017. NVD – CVE-2017-7150. Retrieved June 10, 2019 from https://nvd.nist.gov/vuln/detail/CVE-2017-7150
Karsten Nohl, Sascha Krißler, and Jakob Lell. 2014. BadUSB—On accessories that turn evil. Retrieved May 15, 2019 from https://srlabs.de/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
Working Group Dual Use of the Flemish Interuniversity Council. 2017. Guidelines for researchers on dual use and misuse of research.
OPSWAT. 2019. Windows Anti-malware Market Share Report. Retrieved June 10, 2019 from https://metadefender.opswat.com/reports/anti-malware-marketshare#!/
Tavis Ormandy. 2015. Analysis and Exploitation of an ESET Vulnerability. Retrieved June 10, 2019 from https://googleprojectzero.blogspot.com/2015/06/analysis-and-exploitation-of-eset.html
Tavis Ormandy. 2016. How to Compromise the Enterprise Endpoint. Retrieved June 10, 2019 from https://googleprojectzero.blogspot.com/2016/06/howto-compromise-enterprise-endpoint.html
TaxSlayer Pro. 2017. Quick Start Manual. Retrieved June 10, 2019 from http://downloads.taxslayer.com/online/2017-Quick-Start-Manual.pdf
John Rushby. 1986. The Bell and La Padula Security Model. Computer Science Laboratory, SRI International, Menlo Park, CA. Draft Technical Note.
Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffin, and Wenke Lee. 2008. Impeding Malware Analysis Using Conditional Code Obfuscation.
Drew Springall, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Margaret MacAlpine, and J. Alex Halderman. 2014. Security Analysis of the Estonian Internet Voting System. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, USA, 703–715.
Kenneth C. Wilbur and Yi Zhu. 2009. Click Fraud. Marketing Science 28, 2 (2009), 293–308.
Feng Xue. 2008. Attacking Antivirus. Retrieved June 10, 2019 from https://blackhat.com/presentations/bh-europe-08/Feng-Xue/Presentation/bh-eu-08-xue.pdf
Feng Xue. 2008. Attacking The Antivirus.
Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. 2007. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, USA, 116–127. https://doi.org/10.1145/1315245.1315261
Ilsun You and Kangbin Yim. 2010. Malware Obfuscation Techniques: A Brief Survey. In International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA’10). IEEE, Piscataway, New Jersey, US, 4.