The use of mobile devices in our everyday lives has become widespread. In recent years, the number of smartphones sold globally has surpassed the number of desktop computers sold. Malware authors have followed this and developed sophisticated malware addressed both at the mobile device platforms as well as desktop platforms. Particular interest is being shown in the areas of Microsoft’s Windows operating system for desktop computers and the Android operating system for mobile environments. Malware is a general term used to refer to any software that is installed on a machine and performs unwanted tasks. Malware became known to many computer users through widespread infections at the turn of the third millennium. These were based on email attachments as the primary infection vector. The year 2004 saw the release of the first malicious software, Cabir, aimed at smartphones. This malware spread among mobile devices which had Bluetooth enabled in discoverable mode and exploited the limited resources of mobile devices, at that time, battery life. Infection vectors for malware changed over the years, moving from the traditional desktop platform to mobile devices. Viruses initially spread through the use of infected floppy discs. When Internet connectivity became more ubiquitous, malware managed to spread using techniques such as mass email lists or web vulnerabilities. Infection vectors which malware uses for mobile devices also had a similar effect, moving from simple SMS or MMS infection vectors to Bluetooth, email and web vulnerabilities.
Malware concealment strategies
Malware concealment strategies serve one purpose: the survival of malicious code. The longer malware can protect itself from detection, the more time it has for replication and infection. In this section, we will discuss the malware lifecycle as well as various malware concealment strategies.
The malware lifecycle
The malware lifecycle is made up of four phases, as shown in figure 1 (right). Concealment strategies aim to increase the span of time between the infection and detection phases. In addition, these strategies aim to make analysis of the malware difficult for anti-malware developers. Through concealment strategies, malware authors aim to spread and prosper, hiding their code from plain sight.
Malware detection strategies
Malware authors are becoming more aware of the security methods devised, and used, in commercial as well as domestic realms. They have become more skilled in hiding their malicious programmes and operate quietly. These attacks have become so advanced that sometimes they can go undetected for weeks, or even months, as in the case of StuxNet. Some malware detection strategies currently in use are:
Static analysis is a process of extracting static information from a file without actually executing the file. This information is used to create a profile of the file using different techniques such as calculating file hashes, scanning through different anti-virus and anti-malware engines and extracting file information.
Static taint analysis is used for detecting the information flow of a set of instructions that are influenced by the user’s input. The basic idea is to identify and label variables that have been ‘tainted’ with input controlled by the user. Any operation that uses a value from a tainted object to derive another value for another object will taint that object. Simple checks that are done on these variables could indicate possible attacks, such as cross‐site scripting, SQL injection and malicious script injection.
Dynamic analysis, or behavioural analysis, is the process of analysing the actions of a programme in the course of execution. The main idea is to execute a code sample within a controlled environment (such as a virtual machine), monitoring its behaviour and obtaining further information about its nature and purpose. Through this analysis, the researcher will be able to assess the threats better, and create proper countermeasures. n
Dynamic taint analysis is an extension of the static technique described above. It was originally published by Newsome and Song of Carnegie Mellon University in 2005. Data originating or derived from untrusted sources, such as the network, are labelled as tainted. This technique tracks in real time how labelled data impacts other data in a way that might leak the original sensitive data. The type of tracking, as originally proposed, was performed at the instruction level. Finally, the impacted data is identified before leaving the system, usually at the network interface level. n
Heuristic analysis combines a few known facts with experience to make an assumption on the classification at large, and is regarded as part of artificial intelligence. The term ‘heuristic’ refers to the act of discovering the solution to a problem. These analysis and detection mechanisms employ data mining and machine learning techniques to review, trace and analyse the behaviour of the application code. Through the use of these methods, heuristics look for pieces of programme code that seem to look like a virus, rather than looking for specific virus signatures. N
Hybrid malware analysis is a new technique combining both static code analysis as well as dynamic code analysis. This technique combines the benefits of static code analysis with virtual machine analysis. Detection involves a process of analysing and identifying whether a code is genuinely benign or malicious. Robust malware detection strategies depend on how efficiently obfuscated malware is detected. Simple strategies, such as trusting and installing only digitally signed applications, are one way of limiting malware infection. However, given the vast number of applications that are available on the Internet, especially through the use of peer-to-peer sites, one cannot expect all applications to be digitally signed.
0 Comments