Malware bites

Antivirus software running on your computer has one big weak point - if a new virus is released before the antivirus provider knows about it or before the next scheduled antivirus software update, your system can be infected. Such zero-day infections are common.

However, a key recent development in antivirus software is to incorporate built-in defences against viruses and other computer malware for which they have no prior knowledge. These defences usually respond to unusual activity that resembles the way viruses behave once they have infected a system. This so-called heuristic approach combined with regularly updated antivirus will usually protect you against known viruses and even zero-day viruses. However, in reality, there are inevitably some attacks that continue to slip through the safety net.

Writing in a forthcoming issue of the International Journal of Electronic Security and Digital Forensics, researchers at the Australian National University, in Acton, ACT, and the Northern Melbourne Institute of TAFE jointly with Victorian Institute of Technology, in Melbourne Victoria, have devised an approach to virus detection that acts as a third layer on top of scanning for known and heuristic scanning.

The new approach employs a data mining algorithm to identify malicious code on a system and the anomaly of detected is predominantly based on the rate at which various operating system functions are being "called". Their initial tests show an almost 100% detection rate and a false positive rate of just 2.5% for spotting embedded malicious code that is in "stealth mode" prior to being activated for particular malicious purposes.

"Securing computer systems against new diverse malware is becoming harder since it requires a continuing improvement in the detection engines," the team of Mamoun Alazab (ANU) and Sitalakshmi Venkatraman (NMIT) explain. "What is most important is to expand the knowledgebase for security research through anomaly detection by applying innovative pattern recognition techniques with appropriate machine learning algorithms to detect unknown malicious behaviour."

Explore further

Malware rebirthing suites intensify security arms race

More information: Alazab M. & Venkatraman S. (2013). Detecting malicious behaviour using supervised learning algorithms of the function calls, International Journal of Electronic Security and Digital Forensics, 5 (2) 90. DOI: 10.1504/IJESDF.2013.055047
Citation: Malware bites (2013, August 15) retrieved 19 October 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Aug 15, 2013
Sounds good at first - but there is one fatal flaw with the idea:

Malware producers aren't stupid. They TEST their malware on computers where the latest versions of antivirus software is installed. There's no use fielding malware if you know it's not going to work. So they'll only release a software when it's in a state which is currently not detectable.

(Actually this has given me an idea: if you want to identify a malware producer you'd probably be best of searching for someone who regularly pulls updates for ALL major antivirus suites on the market. No normal user would do that.)

Aug 15, 2013
if you did this you would be labeling lots of innocent computer users as producers of malicious programs/code

Don't confuse correlation with causation. If someone were suspected of being a malware producer one could use this as circumstantial evidence. One could NOT use this to ascertain that someone were a malware producer in the first place.

Aug 15, 2013
I use a free sandboxing program called Sandboxie when surfing or trying out software.Keeps the baddies in a box till you delete it,and I haven`t had malware problems in I don`t know how long.Here`s the website link:

Aug 15, 2013
Oh,and I also run Avast! as well,which is handy to test downloaded programs I want to test-run..

Aug 16, 2013
I use a free sandboxing program called Sandboxie

Don't trust too much in sandboxes. They can be circumvented.
A rootkit will make short work of them (and your anti virus software) to a degre thatyou won't even notice anything is wrong.

There's also several videos on youtube that show you how easily you can bypass sandbox protection.
It's a neat idea - but not foolproof (and by now the bypass methods are, unfortunately, included as an almost de facto standard in most malware.)

I used to have sandboxie, too. Nowadays it just slows the machine down as all browsers (and all firewalls) have sandbox features. Using two sandboxes doesn't make the system more secure (if anything it makes it less secure)

Aug 16, 2013
Interesting.I have posted a question about this on the Sandboxie website forum.Maybe Tzuk will answer it.I have been fortunate if what you are saying is true,and have managed to avoid rootkit infections so far.Do you have to download rootkits,or can you be infected just by visiting an infected website?

Aug 16, 2013
When you visit a purposefully malformed website it can very easily send malicious code to your operating system. It's called a driveby download. Ad banners are one way this happens. Let's say I buy a banner on a non-malicious site, like this one. Typically the advertisers host the banners themselves, so that's a way I could get malicious code onto an otherwise harmless site.

Aug 17, 2013
I am confused now,but then I know next to nothing about computer programming.I found an old exchange on the Sandboxie forum that suggests that Icesword is NOT able to execute if it has only been run in a sandboxed environment. If it has previously been opened outside the sandbox,it can launch successfully IN the sandbox: http://sandboxie....ghlight= (pay particular attention to the post dated Tue Nov 08, 2005 10:34 pm) See also: http://www.wilder...t=105850
In summary,if I ONLY surf WHILE SANDBOXED,in theory any malicious code cannot run outside my sandbox,unless I allow it to so.

Aug 18, 2013
I don't understand how you think that you can easily get rooted through a sandbox. I would think that only the virtual disk gets rooted. The sandbox doesn't have access to areas you haven't intentionally shared. I run virtualbox windows under linux (not for security). Explain to me how the windows malware executable roots my linux machine. Now, if someone exploits a bug in the sandbox, of course they can do bad stuff. Or if the main OS has already been rooted, that a completely different scenario.

Anyway, anything that provides more information for early detection is OK by me. Nothing is perfect, but more detections is better.

Aug 18, 2013
The underlying operating system is still vulnerable because there will always be flaws in the code used to create the sandbox. Take Chrome's sandbox for example. Google has plenty of resources to spend on developing secure code (way more than boxie), but every time they hold a contest with a cash prize for someone to break out of the sandbox with malicious code, they always do.

As for running a linux vm sandboxed on windows, sure it's a good idea, but far from foolproof. Once the sandbox is broken the malware can connect back to its command and control server and download exploits for whatever OS is running underneath.

Every new security advance is tirelessy attacked, and the prize for a criminal with a zero day exploit can be lots of cash. Take ASLR - adress space layout randomization. Most malware involves writing bad stuff to ram, and aslr randomizes how ram is written to. It was supposed to be a panacea against certain types of attacks, but it was quickly defeated.

Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!

Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!

Hey, good for you. Way to go. But how do you really know you haven't acquired stealth malware?

Sandboxie bullet proof? Nope. An example for you, the cross-platform vulnerability CVE-2012-0217 affects your sandbox.

Good luck out there ;)

Aug 18, 2013
Well,I guess I am lucky.I haven't had any problems in 6 years using Sandboxie,so I must be doing something right!

Are you shilling as well?

Aug 19, 2013
A number of things are in your favor if you sandbox, especially if the underlying OS is different from what's running in the sandbox. To think or say otherwise is ridiculous. Playing word games.

No system is 100% safe, or even close. Read the test data at AV-Comparatives. AV Software can't even protect you against what is already known. Run in a sandbox and you isolate the infection, most of the time.

There simply are not as many sandbox breaking malware programs. You need to exploit the sandboxed OS to get to the sandbox, and then the sandbox, and then the underlying OS.
There are simply not enough targets to make that a mainstream/widespread problem.

My question for dtxx would be how many infections he got in the sandboxed OS. If he didn't get any, then it did him no good.

Aug 19, 2013
Here's a video
(No sound, but it's pretty easy to follow what he's doing.)

1) He's installing severeal types of rootkits/malware (A rootkit, a backdoor, and 3 types of trojans)
2) Checking whether antivirus software finds them (nope)
3) Watching via Commodo (a good Firewall) process monitor what happens:
The rootkit/malware disables all sandboxie processes (although you may notice that it's still displayed as active in the taskbar)
Any process started has direct access to the computer (even though it is displayed as nominally sanboxed)

Game over.

That said: sanboxes aren't a BAD idea. It's good that your browser has one. But I wouldn't trust in them too much.

Aug 19, 2013
I again refer back to the Sandboxie forum I posted a link to earlier. If you look at the last post,it does suggest Sandboxie will prevent rootkits from running in the sandbox,but you have to be very careful how you proceed: http://sandboxie....ghlight=

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more