Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Automatic malware variant generation framework using Disassembly and Code Modification

  • Lee, Jong-Lark (Faculty of Cyber Security, Yeungnam University College) ;
  • Won, Il-Yong (Dept. of Cyber Hacknig Security, Seoul Hoseo Technical College)
  • Received : 2020.10.06
  • Accepted : 2020.10.19
  • Published : 2020.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Malware is generally recognized as a computer program that penetrates another computer system and causes malicious behavior intended by the developer. In cyberspace, it is also used as a cyber weapon to attack adversary. The most important factor that a malware must have as a cyber weapon is that it must achieve its intended purpose before being detected by the other's detection system. It requires a lot of time and expertise to create a single malware to avoid the other's detection system. We propose the framework that automatically generates variant malware when a binary code type malware is input using the DCM technique. In this framework, the sample malware was automatically converted into variant malware, and it was confirmed that this variant malware was not detected in the signature-based malware detection system.

멀웨어는 일반적으로 다른 사용자의 컴퓨터시스템에 침입하여 개발자가 의도하는 악의적인 행위를 일으키는 컴퓨터프로그램으로 인식되지만 사이버 공간에서는 적대국을 공격하기 위한 사이버 무기로써 사용되기도 한다. 사이버 무기로서 멀웨어가 갖춰야 할 가장 중요한 요소는 상대방의 탐지시스템에 의해 탐지되기 이전에 의도한 목적을 달성하여야 한다는 것인데, 하나의 멀웨어를 상대방의 탐지 시스템을 피하도록 제작하는 데에는 많은 시간과 전문성이 요구된다. 우리는 DCM 기법을 사용하여, 바이너리코드 형태의 멀웨어를 입력하면 변종 멀웨어를 자동으로 생성해 주는 프레임워크를 제안한다. 이 프레임워크 안에서 샘플 멀웨어가 자동으로 변종 멀웨어로 변환되도록 구현하였고, 시그니쳐 기반의 멀웨어 탐지시스템에서는 이 변종 멀웨어가 탐지되지 않는 것을 확인하였다.

Keywords

References

  1. Taeguen Kim, EulGyu Im, "Code reuse analysis method for detecting malicious code variants", Korea Institute of Information Security and Cryptology, Vol. 24, No 1. pp. 32-38, Feb. 2014, DOI:KIISC.2014.24.1.32
  2. Sungbin park, Minsu Kim, Bongnam Noh, "Detection Method Using Common Features of Malware Variants Generated by Automated Tools", Journal of Korean institute of information technology Vol. 18 No.8, pp. 81-91, Sep .2020, DOI:10.30693/SMJ.2019.8.4.25
  3. Sadia Noreen, Shafaq Murtaza, M.Zubair, Muddassar Farooq, "Evolvable Malware", Proceedings of the 11th Annual conference on Genetic and evolutionary computation, pp. 1569-1576, Jul. 2009, DOI:10.1145/1569901.1570111
  4. Andrea Cani, Carco Gaudesi, Ernesto Sanchez, "Towards automated malware creation:code generation and code integration", Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 157-160, March. 2014. DOI: 10.1145/2554850.2555157
  5. Manuel Egele, Theodoor Scholte, Engin Kirda, Christopher Kruegel, "A Survey on Automated Dynamic Malware Analysis Techniques and Tools", ACM Computing Surveys, Vol.. 44, No. 2, pp. 1-42, Feb. 2012, DOI:10.1145/2089125.2089126
  6. Jusop Choi, Dongsoon Shin, Hyoungshick Kim, Jason Seotis, Jin B.Hong, "AMVG:Adative Malware Variant Generation Framework Using Machine Learning", 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing, DOI:10.1109/PRDC47002.2019.00055
  7. Ilsun You, Kangbin Yim, "Malware Obfuscation Techniques", 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Nov. 2010, DOI:10.1109/BWCCA.2010.85
  8. Tomasz Grysztar, "Flat Assembler Documentation and tutorials", https://flatassembler.net/docs.php
  9. Riccardo Poli, William B. Langdon, Nicholas F.Mcphee, "A Field Guide to Genetic Programming, Jan. 2008, http://www.gp-field-guide.org.uk
  10. Virustotal Service, https://www.virustotal.com
  11. Hybrid-Analysis Service, https://www.hybrid-analysis.com