Unless you're using publicly available malware that is known to be used for crime, AV isn't going to detect anything. That's how it works, and that's how it has to work.
I haven'y fully read through the paper, but it doesn't look much different than what attackers have been doing with compiled AutoIT binaries for decades.
If it's on Github I'd be interested in looking at the code. If not it seems like just another academic paper misunderstanding the real problems faced by both attackers and defenders.
Next-gen AV does not rely on signatures to detect malware so much as heuristics on steroids. I am especially familiar with SentinelOne. It can detect 0-day ransomeware, for example, as soon as it tries to encrypt files, and stop it in its tracks. Any product that does rely on signatures is useless these days.
The heuristics aren’t on steroids but rather basic, SentinalOne, CrowdStrike, CarbonBlack etc. are still as dumb as a door knob, yes they can detect ransomeware because it’s quite easy to detect but their heuristics don’t extend to anything that is remotely sophisticated and doesn’t simply nuke the entire system.
I can’t upvote this enough. An heuristic will always be an heuristic, it does not matter of which kind or what you are looking at. These products are not deterministic and they give you no assurance whatsoever.
To add to how simplistic their heuristics are we had a demo of one of the mentioned above ransomware detection.
Their demo was about 2 hours long, during it I’ve written my own ransomware in a few lines.
It used cipher.exe a command line utility that allows you to encrypt files, with about 5 lines of a batch script (well it was pinvoke in my case) I had a ransomware that would encrypt all document files in the user’s home directory with a new EFS cert, generate an EFS recovery agent and upload it to a webdav share, delete the EFS certificate from the system, then using the same cipher.exe utility secure wipe option (/w) nuke the file system and overwrite all deleted data to make both forensics and recovery near impossible.
Since cipher.exe is a signed Microsoft executable it wasn’t detected.
Their response was that they haven’t seen malware use this before and they were looking for windows crypto API calls, CPU metrics and other nonsense and assured us that it’s highly unlikely that anyone would use built-in command line utilities when compromising our network.
All these techniques are based on the malicious software already having access to the system. As Raymond said "you're already on the other side of airtight door".
Perhaps instead of relying on antivirus/antimalware programs to protect you, better educate the user. In no future time will ever exists a program that will be 100% idiot proof ("the Universe will always come with a better idiot" - quote from somebody way smarter than me)
Or maybe instead of educating the users we should be educating the criminals so they can get paid to work on more productive things. Lots of solutions here.
While this is a potentially good idea to do in parallel, it is effectively impossible to reduce crime rate to literally zero, and the nature of the internet means that users can receive the same volume of malicious emails/ads and other malware vectors with fewer actors.
I like the basic idea, but at least if educating is to be understood as imparting trade knowledge and/or skills I seriously doubt if that particular deficit is what keeping most of those people off the straight and narrow.
Then you, like most of society, don't understand what drives criminal behaviour.
Many professional criminals do so out of lack of other options. Others are expressing antisocial sentiment, often a result of trauma or feeling rejected by society. In my case, it was a mixture of both.
Anyone that tells you that a
complex societal problem is solely the result of moral failing or "bad people" does not have a good understanding of the problem space.
Nobody mentioned anything about them having morale failures. The point was that if they are making money by writing malware, then lack of education or training isn't why they're doing it, because they're clearly qualified to do at least entry level computer work. Whether or not that work is available, or pays enough, is another story.
Thus the appeal of walled gardens. The user can’t run malware if they can’t install any off app store software by default. Linux repositories are an earlier example. The current Windows ecosystem of the first search result being malware, downloading often unsigned .exe files and conditioning users to click next until they get what they want is a mess.
Playstore is a walled garden. And this article is a wolf cry exactly against malware from Playstore. In the end same social engineer techniques employed to trick people to install malware directly (see Windows) can be employed to trick the walled garden gatekeepers to allow malware there.
I would argue that having walled garden is actually worse. Once malware is inside can wreck havoc far greater than the open system of Windows. Sure, you get fewer bad actors inside but those who do manage to get inside will be fully free because of the false security its users feel.
Yep, air leaks do happen. Not his fault though, but his blog is a gold mine of information, definitely top 5 to read religiously every day, don't you agree?
In my opinion, we should be much more cautious with malware, since it can infect us and our information, even causing the loss of it. That is why to prevent them we must be more informed in cybersecurity. I recommend https://demyo.com/
Submitted title was "New powerful malware obfuscation technique". Submitters: please don't do that. The site guidelines ask: "Please use the original title, unless it is misleading or linkbait; don't editorialize."
I haven'y fully read through the paper, but it doesn't look much different than what attackers have been doing with compiled AutoIT binaries for decades.
If it's on Github I'd be interested in looking at the code. If not it seems like just another academic paper misunderstanding the real problems faced by both attackers and defenders.