Abstract:
Most of the commercial antiviruses are signature based, that is, they use existing database signature
to detect the malware. Malware authors use code obfuscation techniques to evade detection
by antiviruses. Metamorphic malware change their internal structure hence evading signature
based detection. Different detection techniques can be found in literature to detect the obfuscated
malware also. Havex is an exclusive malware used in cyberespionage campaign launched
by a group of attackers, Dragonfly or Energetic Bear, which infects OS Windows. It has targeted
multiple sectors so far such as industrial/machinery, manufacturing, pharmaceutical, construction,
education and Information Technology. Its main target is ICS and SCADA systems. Havex uses
multiple attack vectors to compromise the targets with the coordination of Command and Control
infrastructure to download the set of payloads.
For effective defense against the malware, their construction needs to be explored. This includes
the study of different obfuscation techniques and possibilities of their extension. This thesis focuses
on obfuscation technqiues of malware including dead code insertion, instruction substitution
and function permutation. The objective is to make detection difficult by implementing subject techniques which bypass detection. Havex malware is used as a proof of concept for our antivirus evasion strategy. We have used Hidden Markov Models (HMM), which is a statistical based machine learning detection method, to test the effectiveness of our code morphing. This has shown the strength of our implemented obfuscation techniques.
