Reference : Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs
Genç, Ziya Alper mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC >]
Lenzini, Gabriele mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC >]
Sgandurra, Daniele [RoyalHolloway, University of London]
Digital Threats: Research and Practice
Association for Computing Machinery
Yes (verified by ORBilu)
New York, NY
[en] antivirus ; ransomware ; evasion ; vulnerability ; synthesize inputs ; simulate mouse
[en] To protect their digital assets from malware attacks, most users and companies rely on antivirus (AV) software. AVs' protection is a full-time task against malware: This is similar to a game where malware, e.g., through obfuscation and polymorphism, denial of service attacks, and malformed packets and parameters, tries to circumvent AV defences or make them crash. However, AVs react by complementing signature-based detection with anomaly or behavioral analysis, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-acts, for instance, by using adversarial inputs to avoid detection, and so on. In this cat-and-mouse game, a winning strategy is trying to anticipate the move of the adversary by looking into one's own weaknesses, seeing how the adversary can penetrate them, and building up appropriate defences or attacks. In this article, we play the role of malware developers and anticipate two novel moves for the malware side to demonstrate the weakness in the AVs and to improve the defences in AVs' side. The first one consists in simulating mouse events to control AVs, namely, to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse. We tested these two attacks on 29 AVs, and the results show that 14 AVs are vulnerable to Ghost Control attack while all 29 AV programs tested are found vulnerable to Cut-and-Mouse. Furthermore, we also show some weaknesses in additional protection mechanisms of AVs, such as sandboxing and CAPTCHA verification. We have engaged with the affected AV companies, and we reported the disclosure communication with them and their responses.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Other
Fonds National de la Recherche - FnR
Researchers ; Professionals ; Students ; General public
H2020 ; 779391 - FutureTPM - Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module
FnR ; FNR13234766 > Gabriele Lenzini > NoCry PoC > No More Cryptographic Ransomware Proof Of Concept > 01/11/2018 > 31/10/2020 > 2018

File(s) associated to this reference

Fulltext file(s):

Open access
gls2021.pdfPublisher postprint1.81 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.