Fonte: “YAMME: a YAra-byte-signatures Metamorphic Mutation Engine”,
Paper: https://ieeexplore.ieee.org/document/10177752
Abstract:
Recognition of known malicious patterns through signature-based systems is unsuccessful against malware for which no known signature exists to identify them. These include not only zero-day but also known malicious software able to self-replicate rewriting its own code leaving unaffected its execution, namely metamorphic malware. YARA is a popular malware analysis tool that uses the so-called YARA-rules, which are built to match malicious contents within files or network packets analyzed by an Anti-Virus engine. Sometimes such content is expressed in the form of a byte-signature, i.e., a sequence of operational machine-level code. However, these can be bypassed since malware obfuscation techniques can change these sequences, rewriting them in several equivalent forms. This paper presents YAMME, a YARA-byte-signatures Metamorphic Mutation Engine to strengthen rules against some malware obfuscation techniques deployed in metamorphic mutation engines. First, it rewrites YARA-bye-signatures in several equivalent ways, as a metamorphic mutation engine would do. Second, an optimization phase exploits the YARA-rules syntax constructs to provide several rules formats, making them suitable for different real-world application requirements. YAMME rules have been evaluated on MWOR, G2, NGVCK, and MetaNG datasets, resulting in a better detection rate than that achieved by YARA-rules generated through AutoYara. Furthermore, an analysis of computational overhead required by different YAMME rules formats validates the low impact introduced by the mutation engine at the YARA-rules level.
Introduction:
Malware represents the most significant cybersecurity threat due to the exponential growth of cyberinfections caused by their wide spread. Some examples of popular malware are: Ransomware that encrypts victim data so that they cannot be accessed until a ransom amount is paid; Hardware-Trojan that can execute malicious actions in the background; Worm that can self-replicate to infect the highest possible number of assets in a computer network. Therefore, developing defense measures capable of efficiently analyzing malicious samples is critical. Malware analysis is usually divided into two main categories, i.e., static and dynamic analysis strategies. During dynamic analysis the behavior exhibiting by the malware is observed. However, this approach is not applicable in fast communication computer networks due to the latency introduced by the time required to perform the analysis itself. As a consequence, static analysis tools such as Anti-Virus (AV) are typically used since these can provide quick feedback.
