SPVExec and SPVLUExec - A Novel Realtime Defensive Tool for Stealthy Malware Infection

Phillips, Nicholas; Ali Gombe, Aisha

Home // International Journal On Advances in Security, volume 16, numbers 1 and 2, 2023 // View article

SPVExec and SPVLUExec - A Novel Realtime Defensive Tool for Stealthy Malware Infection

Authors:
Nicholas Phillips
Aisha Ali Gombe

Keywords: Malware; Rootkit; Reverse Engineering; Persistence; Defence by Deception.

Abstract:
The vicious cycle of malware attacks on infrastructures and systems has continued to escalate despite organizations' tremendous efforts and resources in preventing and detecting known threats. One reason is that standard reactionary practices such as defense-in-depth are not as adaptive as malware development. By utilizing zero-day system vulnerabilities, malware can successfully subvert preventive measures, infect its targets, establish a persistence strategy, and continue to propagate, thus rendering defensive mechanisms ineffective. In this paper, we propose sterilized persistence vectors (SPVs) - a proactive Defense by Deception strategy for mitigating malware infections that leverages a benign rootkit to detect changes in persistence areas. Our approach generates SPVs from infection-stripped malware code and utilizes them as persistent channel blockers for new malware infections. We performed an in-depth evaluation of our approach on Windows systems, versions 7 and 10, and Ubuntu Linux, Desktop, Server, and Core 22.0.04, by infecting them with 2000 different malware samples, 1000 per OS typing, after training the system with 2000 additional samples to fine-tune the hashing. Based on the memory analysis of pre-and post-SPV infections, our results indicate that the proposed approach can successfully defend systems against new infections by rendering the malicious code ineffective and inactive without persistence.

Pages: 72 to 85

Publication date: June 30, 2023

Published in: journal

ISSN: 1942-2636