Evasion-resistant malware signature based on profiling kernel data structure objects

Abstract

Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that are built based on the code syntax. In this paper, we propose a novel approach to develop an evasion-resistant malware signature. This signature is based on the malware’s execution profiles extracted from kernel data structure objects and neither uses malicious code syntax specific information code execution flow information. Thus, proposed signature is more resistant to obfuscation methods and resilient in detecting malicious code variants. To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE is developed. The effectiveness of signatures generated by SigGENE evaluated using an experimental root kit-simulation tool that employs techniques commonly found in rootkits. This simulation-tool is obfuscated using several different methods. In further experiments, real-world malware samples that have different variants with the same behavior used to verify the real-world applicability of the approach. The experiments show that the proposed approach is effective, not only in generating a signature that detects the malware and its variants and defeats different obfuscation methods, but also, in producing an execution profiles that can be used to characterize different malicious attacks.