Evasion techniquesThe term evasion technique groups all themethods used by malware to avoid detection, analysis, and understanding. Theevasion techniques can be classified into three broad categories, namely,anti-security techniques, anti-sandbox techniques and anti-analyst techniques.Anti-securitytechniquesThese techniques are used to avoiddetection by antimalware engines, firewalls, application containment, or othertools that protect the environment.Anti-sandboxtechniques These techniques are used to detectautomatic analysis and avoid engines that report on the behavior of malware.Detecting registry keys, files, or processes related to virtual environmentslets malware know if it is running in a sandbox.
Anti-analysttechniquesThese techniques are used to detect andfool malware analysts, for example, by spotting monitoring tools such asProcess Explorer or Wireshark, as well as some process-monitoring tricks,packers, or obfuscation to avoid reverse engineering. Some advanced malware samples employ twoor three of these techniques together. For example, malware can use a techniquelike RunPE (which runs another process of itself in memory) to evadeantimalware software, a sandbox, or an analyst. Some malware detects a specificregistry key related to a virtual environment, allowing the threat to evade anautomatic sandbox as well as an analyst attempting to dynamically run thesuspected malware binary in a virtual machine. It is important for securityresearchers to understand these evasion techniques to ensure that securitytechnologies remain viable.
Figure3 Evasion Technique Use by Malware Malwaredetection on mobile devices The basic differences between a PC andmobile device are constrained in terms of computation power, memory and limitedbattery resources. The targeted exploits of mobile malware are alsosignificantly different from those on PC due to the differences in operatingsystems and hardware. For e.g. Majority of mobile devices are based on the ARMarchitecture. Hence, we need to provide due consideration when using the PCbased methods for mobile devices. The detection method must use memory andcomputational resources efficiently and not drain the device battery.
Thedetection method must be cost-efficient to update over the wireless network.There are two general ways of protectingthe mobile device. One is to offer protection at the device level and the otheris to offer protection at the network level by inspecting packets destined forthe device.
Device based protection detects and cleans malware includingviruses, Trojans and spyware that are installed on the device whereas networkbased protection looks to detect and prevent intrusions in the network. MalwareAnalysis Classification All classification approachestaken in the literature can basically be categorized into two types: (i) basedon features drawn from an unpacked static version of the executable file and(ii) based on dynamic features of the packed executable file. These approachesare further classified into signature based, behavior based, hybrid based andmachine learning based approaches.
Signature based approaches are simple andcapable to operate online in real time. They detect only known malwares and arenot useful for detecting new, unknown and stealthy malwares. They are lesspowerful with respect to evasion techniques (i.e) obfuscation transformationscan easily defeat signature-based detection mechanisms. A signature matchingalgorithm is well suited for use in mobile device scanning due to its lowmemory requirements.
Behavior based approaches are designed for analyzing themalwares dynamically, thereby allowing it to detect unknown malwaresefficiently. They rely on system call sequences/graphs tomodel a malicious specification/pattern. Behavior-based methods and machinelearning methods are dynamic approaches.
Anomaly-based approaches, also knownas profile-based approaches, profile the statistical features of normaltraffic. Any deviation from the profile will be treated as suspicious. Theydetect previously unknown attacks, but they showed high false-positive ratioswhen the normal activities are diverse and unpredictable.
Specification-basedapproaches are similar to anomaly detection, but they are based on manuallydeveloped specifications that capture legitimate (rather than previously seen)system behaviors. They avoid high false alarm rates caused by legitimate butunseen behavior in the anomaly detection approach. Their drawback lies in moretime-consumption as they develop detailed specifications. Thus, one has totrade off specification development effort for increased false negatives (i.
e.,likelihood that some attacks may be missed). Heuristic approaches for detectionin PCs include semantics-based, visualization-based, social network based,entropy based, cryptographic based, difference equation based, kernel baseddetection approaches. For detection in mobile, immune system-based, memoryacquisition-based, suspicious API call patterns, differential fault analysis approach,Intercomponent communications are the approaches that comes under heuristiccategory.Much research has been conducted on developing automatic malware classification systems using data mining andmachine-learning approaches.
However, due to various stealth techniquesdesigned by malware authors, most malwares remain undetectable. OrganizationThis paper presents a detailed insighton malware analysis in both the Personal Computer (PC) domain and the mobiledomain, based on literature survey done from 1987. First, the various forms ofmalware and the impact of malware in PC and mobile phones are discussed. Also,their prevalence in most used operating systems such as Windows (for PCs) andAndroid (for mobile) is focused.
Second, the literature survey explaining thecontemporary detection approaches are compared with the ancient approaches andtheir advantages and disadvantages are discussed. Finally, research questionsand findings are discussed, giving key ideas for malware researchers to developa more robust and efficient detection approach, to improve protection andreduce risks, applicable to real-world scenario.