Nowadays malware writers are continually striving to find new ways to evade antimalware checks. To do this, they exploit the vulnerabilities of current antimalware that are unable to detect zero-day threats, because to detect malicious behavior, they need to know their signature, which must be stored in the database: to be recognized, a malware must already be widespread. In this paper we propose a novel malware model with the aim of promoting the development of innovative malware detection paradigms. The proposed model is based on the combination of following mechanisms: dynamic compiling, reflection and dynamic loading, to combine a series of source code snippets into a running application and dynamically alter the normal flow of program execution. We implemented the proposed malware model into the 2Faces Android application. We show also that current antimalware technologies are not able to identify the proposed malware model and we discuss the countermeasures that can be adopted to detect the 2Faces malware.

2Faces: a new model of malware based on dynamic compiling and reflection

Casolare R.;Mercaldo F.;Russodivito M.;Santone A.
2021-01-01

Abstract

Nowadays malware writers are continually striving to find new ways to evade antimalware checks. To do this, they exploit the vulnerabilities of current antimalware that are unable to detect zero-day threats, because to detect malicious behavior, they need to know their signature, which must be stored in the database: to be recognized, a malware must already be widespread. In this paper we propose a novel malware model with the aim of promoting the development of innovative malware detection paradigms. The proposed model is based on the combination of following mechanisms: dynamic compiling, reflection and dynamic loading, to combine a series of source code snippets into a running application and dynamically alter the normal flow of program execution. We implemented the proposed malware model into the 2Faces Android application. We show also that current antimalware technologies are not able to identify the proposed malware model and we discuss the countermeasures that can be adopted to detect the 2Faces malware.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11695/107208
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? 1
social impact