Conference paper Open Access

A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs

Genç, Z.; Lenzini, G.; Sgandurra, D.


DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.3951918</identifier>
  <creators>
    <creator>
      <creatorName>Genç, Z.</creatorName>
      <givenName>Z.</givenName>
      <familyName>Genç</familyName>
      <affiliation>University of Luxembourg</affiliation>
    </creator>
    <creator>
      <creatorName>Lenzini, G.</creatorName>
      <givenName>G.</givenName>
      <familyName>Lenzini</familyName>
      <affiliation>University of Luxembourg</affiliation>
    </creator>
    <creator>
      <creatorName>Sgandurra, D.</creatorName>
      <givenName>D.</givenName>
      <familyName>Sgandurra</familyName>
      <affiliation>University of London</affiliation>
    </creator>
  </creators>
  <titles>
    <title>A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2020</publicationYear>
  <subjects>
    <subject>Antivirus</subject>
    <subject>Ransomware</subject>
    <subject>Evasion</subject>
    <subject>Vulnerability</subject>
    <subject>Simulated Inputs</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2020-07-20</date>
  </dates>
  <language>en</language>
  <resourceType resourceTypeGeneral="Text">Conference paper</resourceType>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="doi">10.1145/3359789.3359844</alternateIdentifier>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/3951918</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.3951917</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsPartOf">https://zenodo.org/communities/futuretpm-h2020</relatedIdentifier>
  </relatedIdentifiers>
  <rightsList>
    <rights rightsURI="https://creativecommons.org/licenses/by/4.0/legalcode">Creative Commons Attribution 4.0 International</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs&amp;rsquo; protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse &amp;ldquo;clicks&amp;rdquo; to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as &amp;ldquo;copy-and-paste&amp;rdquo;) to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a &amp;quot;puppet&amp;quot; to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse.&lt;/p&gt;</description>
  </descriptions>
  <fundingReferences>
    <fundingReference>
      <funderName>European Commission</funderName>
      <funderIdentifier funderIdentifierType="Crossref Funder ID">10.13039/501100000780</funderIdentifier>
      <awardNumber awardURI="info:eu-repo/grantAgreement/EC/H2020/779391/">779391</awardNumber>
      <awardTitle>Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module</awardTitle>
    </fundingReference>
  </fundingReferences>
</resource>
46
29
views
downloads
All versions This version
Views 4646
Downloads 2929
Data volume 35.4 MB35.4 MB
Unique views 4545
Unique downloads 2626

Share

Cite as