Evading Antivirus Detection by Abusing File Type Identification
Gespeichert in:
| Titel: | Evading Antivirus Detection by Abusing File Type Identification |
|---|---|
| Autoren: | Udomwongsa, Chavin |
| Quelle: | Computer Science Senior Theses |
| Verlagsinformationen: | Dartmouth Digital Commons |
| Publikationsjahr: | 2024 |
| Bestand: | Dartmouth Digital Commons (Dartmouth College) |
| Schlagwörter: | binwalk, polyfile, file type identification, antivirus, security and privacy, Computer Sciences |
| Beschreibung: | File type identification is a vital step in automated file processing, especially in the realm of malware detection. The challenges with file type identification and evasion techniques that take advantage of them were pointed out over a decade ago. We show that this remains the case: file type identification implementations are still fragile, especially for files with ambiguous file types. We present a novel antivirus bypass technique via crafted tar archives that evades all detection from VirusTotal and numerous antiviruses: BitDefender, F-Secure, Kaspersky, Panda Dome, Trend Micro, Quick Heal, IKARUS, Avira. These crafted files evade detection by tricking file type identification implementations, but can still be unpacked on end-host machines using GNU tar or 7-zip. We show that these file type-masquerading archives are also incorrectly labeled by popular file type identifiers. We present a survey of publicly available tools for file type identification and shared file signature databases. Finally, we discuss countermeasures for this evasion technique by detecting files with ambiguous file types. |
| Publikationsart: | text |
| Dateibeschreibung: | application/pdf |
| Sprache: | unknown |
| Relation: | https://digitalcommons.dartmouth.edu/cs_senior_theses/44; https://digitalcommons.dartmouth.edu/context/cs_senior_theses/article/1033/viewcontent/Kris_Thesis.pdf |
| Verfügbarkeit: | https://digitalcommons.dartmouth.edu/cs_senior_theses/44 https://digitalcommons.dartmouth.edu/context/cs_senior_theses/article/1033/viewcontent/Kris_Thesis.pdf |
| Dokumentencode: | edsbas.D5CD7843 |
| Datenbank: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | File type identification is a vital step in automated file processing, especially in the realm of malware detection. The challenges with file type identification and evasion techniques that take advantage of them were pointed out over a decade ago. We show that this remains the case: file type identification implementations are still fragile, especially for files with ambiguous file types. We present a novel antivirus bypass technique via crafted tar archives that evades all detection from VirusTotal and numerous antiviruses: BitDefender, F-Secure, Kaspersky, Panda Dome, Trend Micro, Quick Heal, IKARUS, Avira. These crafted files evade detection by tricking file type identification implementations, but can still be unpacked on end-host machines using GNU tar or 7-zip. We show that these file type-masquerading archives are also incorrectly labeled by popular file type identifiers. We present a survey of publicly available tools for file type identification and shared file signature databases. Finally, we discuss countermeasures for this evasion technique by detecting files with ambiguous file types. |
|---|