Dissecting Malware in the Wild

TL;DR

This paper examines various malware manipulation techniques designed to evade machine learning-based detectors, testing their effectiveness in altering malware signatures without affecting malicious functionality.

Contribution

It provides a comparative analysis of different malware evasion tactics and evaluates their success in deceiving static malware detectors.

Findings

Certain manipulation tactics are more effective in evading detection.

Some alterations preserve malware functionality while changing signatures.

The study identifies the most successful evasion strategies.

Abstract

With the increasingly rapid development of new malicious computer software by bad faith actors, both commercial and research-oriented antivirus detectors have come to make greater use of machine learning tactics to identify such malware as harmful before end users are exposed to their effects. This, in turn, has spurred the development of tools that allow for known malware to be manipulated such that they can evade being classified as dangerous by these machine learning-based detectors, while retaining their malicious functionality. These manipulations function by applying a set of changes that can be made to Windows programs that result in a different file structure and signature without altering the software's capabilities. Various proposals have been made for the most effective way of applying these alterations to input malware to deceive static malware detectors; the purpose of this research is to examine these proposals and test their implementations to determine which tactics tend to generate the most successful attacks.