CYBERSEC 2022 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree
In the era of endless new exploits, Active Defense of Antivirus have already collapsed. Also, the efficient Static Scan is the most important feature of modern antivirus against malware, designed to provide AV/EDR with the ability to detect immediately when it discovers an unknown file that is or is not a known threat, so as to avoid infection.
This technique has evolved from the originally file hash fingerprint to the now well-known pattern matching (YARA), and even the heuristic-based ML methods to produce patterns automatically against high variant samples as much as possible.
As a result, hackers have advanced their pattern-bypassing tactics to identify and remove anti-virus signature in no time. This allows variant-enhanced malware in the wild to increase rather than decrease even against state-of-the-art AI based detections. However, do we want such detection techniques that chase behind attackers? The blame goes to the fact that classic pattern matching design never considers semantics of execution behavior, making it easy for hackers to bypass.
In this session, we will talk about how the latest variant samples can beat the major pattern matching techniques heavily with simple tricks such as obfuscation, FLA (OLLVM) and RC4 encryption.
To fight against this, we will present a next-generation static scanning idea. Instead of optical scanning of files, a full set of decompilers will be built in to analyze all the static functions in a program file and use symbolic definition of malicious functions to achieve a semantic-aware malware detection engine. Researchers can elastically define malware templates and use this engine to perform excellent detection results on multiple heavily obfuscated samples.
Sheng-Hao Ma (@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, Black Hat USA, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".
Hank Chen is a threat researcher at TXOne Networks. Hank is in charge of malware analysis, product security,and vulnerability research. Hank was a teaching assistant of Cryptography at National Tsing Hua University (NTHU), as well as joined in many CTF competitions with BalsiFox and 10sec to focus on crypto, reverse, and pwn challenges.