Abstract
As corporations are stepping into the new digital transformation age and adopting leading-edge technologies such as cloud, mobile, and big data, it becomes crucial for them to contemplate the risks and rewards of this adoption. At the same time, the new wave of malware attacks is posing a severe impediment in implementing these technologies. This chapter discusses some of the complications, challenges, and issues plaguing current malware analysis and detection techniques. Some of the key challenges discussed are automation, native code, obfuscations, morphing, and anti-reverse engineering. Solutions and recommendations are provided to solve some of these challenges. To stimulate further research in this thriving area, the authors highlight some promising future research directions. The authors believe that this chapter provides an auspicious basis for future researchers who intend to know more about the evolution of malware and will act as a motivation for enhancing the current and developing the new techniques for malware analysis and detection.
TopIntroduction
As we are advancing into the new digital transformation age, most of the enterprises have been adapting to this new pace of technology by adopting leading-edge technologies like cloud, mobile, big data, and the Internet of things. At the same time, organizations are facing a new wave of security attacks, which are posing a severe impediment in implementing these technologies. WannaCry ransomware attack in 2017 affected many leading organizations around the globe. The ransomware was a CryptoWorm (used cryptography to design the malicious software) (Zouave et al., 2020) and targeted Microsoft Windows operating system by encrypting the data and demanding ransom payments in the CryptoCurrency (Narayanan et al., 2016). Within a day the ransomware infected more than 230,000 computers in over 150 countries. Stuxnet, malware (malicious software), was used to cause substantial damage to supervisory control and data acquisition systems. Targeting industrial control systems, the malware infected over 200,000 computers. Shamoon, another similar malware, was used for cyber warfare against some of the national oil companies in the middle east. Recently, Twitter got hacked where hackers were able to steal US high profile accounts, and Magellan Health, a Fortune 500 company, faced a sophisticated ransomware attack that affected thousands of patients. Cyberattacks are on the rise and pose a serious threat to a company’s financial and other resources. A chronological timeline of such and other high-profile cybersecurity attacks on different companies is shown in Figure 1. As we can see from Figure 1 the number of breaches (break into an account to steal information, including passwords, banking, etc.) of user accounts of a company range from 134 million accounts in the year 2008 – 538 million accounts in the year 2020. The average cost of a malware attack on a company is 2.4 million USD. These attacks highlight the vulnerabilities of the current cyberinfrastructure. They also emphasize the importance of the integration of cybersecurity as part of the new scenario for digital transformation.
Figure 1. A chronological timeline of high-profile cybersecurity attacks from 2008 to 2020 with affected accounts in millions
Most of the cyberattacks are executed by installing malware that carries out different malicious activities. According to a recent report by AV-TEST, an independent IT security institute, the total number of new malicious programs are on the rise. The malware growth reported by AV-TEST is shown in Figure 2. As we can see from Figure 2, the number of malware programs grew from 65.26 million in the year 2011 – 1101.88 million in the year 2020. This shows a significant growth (almost 16 times) in the number of malware programs in these ten years. The numbers can be explained by the fact, that initially, malware writers were hobbyists but now the professionals have become part of this group because of the incentives attached to it, such as financial gains, intelligence gathering, and cyber warfare, etc. Moreover, the malware writers are adopting reusable software development methodologies, and also using obfuscation (Linn & Debray, 2003) to create new malware that is a copy (variant) of the original malware. Malware has also grown in sophistication, from a simple file infection virus to programs that can propagate through networks, can change their shape and structure (polymorphic and metamorphic malware) with a variety of complex modules to execute malicious activities. Malware writers have also adapted to new platforms, such as smartphones and IoTs, etc. The research in the defense and analysis techniques by academia and industry goes side by side with this growth of malware attacks. Several techniques and methods have been developed to mitigate the effects of these attacks. The main goal is to know the structure and behavior of malware, by using static, dynamic, or hybrid analysis techniques. If it is found that the program is a variant of previous malware, or its behavior is suspicious then appropriate actions are taken to take care of the malware program. These actions can be quarantining, repairing, or deleting the malware program, and isolating the effected computers and networks, etc. This has become a race between malware and antimalware techniques and approaches. The techniques and approaches in both these areas are evolving at their own pace.
Key Terms in this Chapter
Binary Instrumentation: It is a technique that modifies a binary program, either pre-execution or during execution to get more insights (behaviors) into the program.
Cloud Computing: Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.
Abstract Syntax Tree: In computer science, an abstract syntax tree (AST), or just syntax tree, is a tree representation of the abstract syntactic structure of source code written in a programming language.
Bytecode: Bytecode is a program code that has been compiled from source code into low-level code designed for a software interpreter.
Instruction Set Architecture: In computer science, an instruction set architecture (ISA) is an abstract model of a computer.
Opcode: In computing, an opcode (operation code) is the portion of a machine language instruction that specifies the operation to be performed.
Obfuscation: To obfuscate something means to make it so that it is not clear or transparent, much like dirty water makes it hard to see to the bottom of a pond.
Computer Forensics: Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media.
Cyberattack: An attempt to gain illegal access to a computer or computer system for the purpose of causing damage or harm.
Symbolic Execution: In computer science, symbolic execution (also symbolic evaluation) is a means of analyzing a program to determine what inputs cause each part of a program to execute.
Cryptocurrency: Any form of currency that only exists digitally, that usually has no central issuing or regulating authority but instead uses a decentralized system to record transactions and manage the issuance of new units, and that relies on cryptography to prevent counterfeiting and fraudulent transactions.
Endpoint System: An endpoint system is a remote computing device that communicates back and forth with a network to which it is connected. Some examples of endpoints include Desktops, laptops, smartphones, servers, workstations, and internet-of-things devices.
Embedded Systems: An embedded system is a combination of computer hardware and software designed for a specific function or functions within a larger system.
Control Flow: In computer science, control flow is the order in which individual statements, instructions, or function calls of an imperative program are executed or evaluated.
Decompiler: A decompiler is a computer program that takes an executable file as input and attempts to create a high-level source file that can be recompiled successfully.
Virtual: Not physically existing as such but made by software to appear to do so.
Debugging: In computer programming and software development, debugging is the process of finding and resolving bugs within computer programs, software, or systems.
Vulnerability: Vulnerability refers to the inability (of a system or a unit) to withstand the effects of a hostile environment.
Metalanguage: A form of language or set of terms used for the description or analysis of another language.