Signal Processing - March 2016 - 105

applications coRnER
Lakshmanan Nataraj
and B.S. Manjunath

SPAM: Signal Processing to Analyze Malware

C

yberattacks have risen in recent
times. The attack on Sony Pictures
by hackers, allegedly from North
Korea, received worldwide attention.
U.S. President Barack Obama issued a
statement and "vowed a U.S. response
after North Korea's alleged cyberattack"
[1]. This dangerous malware, termed
wiper, could overwrite data and stop
important execution processes. An analysis by the U.S. Federal Bureau of Investigation showed distinct similarities
between this attack and the code used to
attack South Korea in 2013, thus confirming that hackers reuse code from
already existing malware to create new
variants. This attack, along with other
recently discovered attacks such as Regin
and Opcleaver, give one clear message:
current cybersecurity defense mechanisms are not sufficient enough to thwart
these sophisticated attacks.
Today's defense mechanisms, such
as commercial antivirus (AV) software,
is based on scanning systems for suspicious or malicious activity. If such an
activity is found, the files under suspect
are either quarantined or the vulnerable
system is patched with an update. In turn,
the AV software is also updated with new
signatures to identify such activities in the
future. The scanning methods are based on
a variety of techniques such as static analysis-, dynamic analysis-, and other heuristics-based techniques, which are often
slow to react to new attacks and threats.
Static analysis is based on analyzing an executable without executing
Digital Object Identifier 10.1109/MSP.2015.2507185
Date of publication: 7 March 2016

1053-5888/16©2016IEEE

it. These techniques include searching
for specific strings, computing cryptographic hashes, and disassembling the
executable to extract features. On the
other hand, dynamic analysis executes
the binary executable and studies its
behavioral characteristics in a virtual sandboxed environment. Some of
the methods include system-call-level
monitoring and memory snapshot comparison. Hackers are familiar with these
standard methods and come up with
ways to evade the current defense mechanisms. They produce new malware
variants that easily evade the detection
methods. These variants are created
from existing malware using inexpensive, easily available "factory tool kits"
in a virtual factory-like setting, which
then spread and infect more systems.
Once a system is compromised, it either
quickly loses control and/or the infection spreads to other networked systems.
While security techniques constantly evolve to keep up with new attacks,
hackers too change their ways and continue to evade defense mechanisms.
As this never-ending billion dollar "cat
and mouse game" continues, it may be
useful to look at avenues that can bring
in novel alternative and/or orthogonal defense approaches to counter the
ongoing threats. The hope is to catch
these new attacks using complementary
methods that may not be well known
to hackers, thus making it more difficult and/or too expensive for them to
evade all detection schemes. This article
focuses on such orthogonal approaches
from signal and image processing that
complement standard approaches.
IEEE Signal Processing Magazine

|

March 2016

|

Malware landscape
Malware-malicious software-is any
software that is designed to cause damage to a computer, server, network,
mobile phones, and other devices.
Based on their specific function such as
stealing data, spying, keylogging or
others, malware are classified into different types such as trojans, backdoors,
virus, worm, spyware, adware, and
more. Malware are also identified by
which platform they belong to, such as
Windows, Linux, AndroidOS, and others. While most malware are geared
toward the Windows platform, they are
also quickly expanding to other platforms such as AndroidOS, Linux, and
MAC OS X. Malware are further classified into families, which in turn, have
many variants that perform almost the
same function (Figure 1). According to
the Computer Antivirus Research
Organization (CARO) convention for
naming malware, a malware is represented by Type:Platform/Family.Variant. For example, PWS:Win32/Zbot.
gen denotes a password-stealer malware of the generic Zbot family that
attacks 32-bit Windows platforms.
Malware variants are created either
by making changes to the malware
code or by using executable packers.
In the former case, a simple mutation
occurs by changing small parts of the
code. These are referred to as unpacked
malware variants. In the latter case, a
more complex mutation occurs either
by compressing or encrypting (usually
with different keys) the main body of
the code and appending a decompression/decryption routine, which during
105



Table of Contents for the Digital Edition of Signal Processing - March 2016

Signal Processing - March 2016 - Cover1
Signal Processing - March 2016 - Cover2
Signal Processing - March 2016 - 1
Signal Processing - March 2016 - 2
Signal Processing - March 2016 - 3
Signal Processing - March 2016 - 4
Signal Processing - March 2016 - 5
Signal Processing - March 2016 - 6
Signal Processing - March 2016 - 7
Signal Processing - March 2016 - 8
Signal Processing - March 2016 - 9
Signal Processing - March 2016 - 10
Signal Processing - March 2016 - 11
Signal Processing - March 2016 - 12
Signal Processing - March 2016 - 13
Signal Processing - March 2016 - 14
Signal Processing - March 2016 - 15
Signal Processing - March 2016 - 16
Signal Processing - March 2016 - 17
Signal Processing - March 2016 - 18
Signal Processing - March 2016 - 19
Signal Processing - March 2016 - 20
Signal Processing - March 2016 - 21
Signal Processing - March 2016 - 22
Signal Processing - March 2016 - 23
Signal Processing - March 2016 - 24
Signal Processing - March 2016 - 25
Signal Processing - March 2016 - 26
Signal Processing - March 2016 - 27
Signal Processing - March 2016 - 28
Signal Processing - March 2016 - 29
Signal Processing - March 2016 - 30
Signal Processing - March 2016 - 31
Signal Processing - March 2016 - 32
Signal Processing - March 2016 - 33
Signal Processing - March 2016 - 34
Signal Processing - March 2016 - 35
Signal Processing - March 2016 - 36
Signal Processing - March 2016 - 37
Signal Processing - March 2016 - 38
Signal Processing - March 2016 - 39
Signal Processing - March 2016 - 40
Signal Processing - March 2016 - 41
Signal Processing - March 2016 - 42
Signal Processing - March 2016 - 43
Signal Processing - March 2016 - 44
Signal Processing - March 2016 - 45
Signal Processing - March 2016 - 46
Signal Processing - March 2016 - 47
Signal Processing - March 2016 - 48
Signal Processing - March 2016 - 49
Signal Processing - March 2016 - 50
Signal Processing - March 2016 - 51
Signal Processing - March 2016 - 52
Signal Processing - March 2016 - 53
Signal Processing - March 2016 - 54
Signal Processing - March 2016 - 55
Signal Processing - March 2016 - 56
Signal Processing - March 2016 - 57
Signal Processing - March 2016 - 58
Signal Processing - March 2016 - 59
Signal Processing - March 2016 - 60
Signal Processing - March 2016 - 61
Signal Processing - March 2016 - 62
Signal Processing - March 2016 - 63
Signal Processing - March 2016 - 64
Signal Processing - March 2016 - 65
Signal Processing - March 2016 - 66
Signal Processing - March 2016 - 67
Signal Processing - March 2016 - 68
Signal Processing - March 2016 - 69
Signal Processing - March 2016 - 70
Signal Processing - March 2016 - 71
Signal Processing - March 2016 - 72
Signal Processing - March 2016 - 73
Signal Processing - March 2016 - 74
Signal Processing - March 2016 - 75
Signal Processing - March 2016 - 76
Signal Processing - March 2016 - 77
Signal Processing - March 2016 - 78
Signal Processing - March 2016 - 79
Signal Processing - March 2016 - 80
Signal Processing - March 2016 - 81
Signal Processing - March 2016 - 82
Signal Processing - March 2016 - 83
Signal Processing - March 2016 - 84
Signal Processing - March 2016 - 85
Signal Processing - March 2016 - 86
Signal Processing - March 2016 - 87
Signal Processing - March 2016 - 88
Signal Processing - March 2016 - 89
Signal Processing - March 2016 - 90
Signal Processing - March 2016 - 91
Signal Processing - March 2016 - 92
Signal Processing - March 2016 - 93
Signal Processing - March 2016 - 94
Signal Processing - March 2016 - 95
Signal Processing - March 2016 - 96
Signal Processing - March 2016 - 97
Signal Processing - March 2016 - 98
Signal Processing - March 2016 - 99
Signal Processing - March 2016 - 100
Signal Processing - March 2016 - 101
Signal Processing - March 2016 - 102
Signal Processing - March 2016 - 103
Signal Processing - March 2016 - 104
Signal Processing - March 2016 - 105
Signal Processing - March 2016 - 106
Signal Processing - March 2016 - 107
Signal Processing - March 2016 - 108
Signal Processing - March 2016 - 109
Signal Processing - March 2016 - 110
Signal Processing - March 2016 - 111
Signal Processing - March 2016 - 112
Signal Processing - March 2016 - 113
Signal Processing - March 2016 - 114
Signal Processing - March 2016 - 115
Signal Processing - March 2016 - 116
Signal Processing - March 2016 - 117
Signal Processing - March 2016 - 118
Signal Processing - March 2016 - 119
Signal Processing - March 2016 - 120
Signal Processing - March 2016 - 121
Signal Processing - March 2016 - 122
Signal Processing - March 2016 - 123
Signal Processing - March 2016 - 124
Signal Processing - March 2016 - 125
Signal Processing - March 2016 - 126
Signal Processing - March 2016 - 127
Signal Processing - March 2016 - 128
Signal Processing - March 2016 - Cover3
Signal Processing - March 2016 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201809
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201807
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201805
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201803
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_201801
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0917
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0717
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0517
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0317
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0117
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0916
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0716
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0516
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0316
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0116
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0915
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0715
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0515
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0315
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0115
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0914
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0714
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0514
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0314
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0114
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0913
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0713
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0513
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0313
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0113
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0912
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0712
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0512
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0312
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0112
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0911
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0711
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0511
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0311
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0111
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0910
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0710
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0510
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0310
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0110
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0909
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0709
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0509
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0309
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0109
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_1108
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0908
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0708
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0508
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0308
https://www.nxtbook.com/nxtbooks/ieee/signalprocessing_0108
https://www.nxtbookmedia.com