Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques
With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and...
Gespeichert in:
| Veröffentlicht in: | Journal of Computer Virology and Hacking Techniques 2019-12, Vol.15 (4), p.249-257 |
|---|---|
| Hauptverfasser: | , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 257 |
|---|---|
| container_issue | 4 |
| container_start_page | 249 |
| container_title | Journal of Computer Virology and Hacking Techniques |
| container_volume | 15 |
| creator | Pham, Duy-Phuc Vu, Duc-Ly Massacci, Fabio |
| description | With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus. |
| doi_str_mv | 10.1007/s11416-019-00335-w |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2316455304</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2316455304</sourcerecordid><originalsourceid>FETCH-LOGICAL-c363t-7b63fff6d94f2b6dfb53a425dd153350c2eea5794463969af1ea433340cb7b2c3</originalsourceid><addsrcrecordid>eNp9UMtOwzAQtBBIVKU_wMkSZ4PttZ2GW1XxkloVCThbjmNDSpoUOyXq3-MSJDhx2Yd2ZnZ3EDpn9JJRml1FxgRThLKcUAogSX-ERpwrINMM4PhPfYomMa4ppYzLaabkCD0ujSUzsjT1Nd4Yu3pKse5NcNg0pt7HKmIfzMb1bXjHwaW-M02HuzbNuwq7TxOrtsGds29N9bFz8QydeFNHN_nJY_Rye_M8vyeL1d3DfLYgFhR0JCsUeO9VmQvPC1X6QoIRXJYlk-kFarlzRma5EApylRvPnBEAIKgtsoJbGKOLQXcb2sPeTq_bXUg3R82BKSElUJFQfEDZ0MYYnNfbUG1M2GtG9cE8PZink3n62zzdJxIMpJjAzasLv9L_sL4ACZJyFw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2316455304</pqid></control><display><type>article</type><title>Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques</title><source>Alma/SFX Local Collection</source><source>SpringerLink Journals - AutoHoldings</source><creator>Pham, Duy-Phuc ; Vu, Duc-Ly ; Massacci, Fabio</creator><creatorcontrib>Pham, Duy-Phuc ; Vu, Duc-Ly ; Massacci, Fabio</creatorcontrib><description>With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.</description><identifier>ISSN: 2263-8733</identifier><identifier>EISSN: 2263-8733</identifier><identifier>DOI: 10.1007/s11416-019-00335-w</identifier><language>eng</language><publisher>Paris: Springer Paris</publisher><subject>Computer Science ; Malware ; Original Paper</subject><ispartof>Journal of Computer Virology and Hacking Techniques, 2019-12, Vol.15 (4), p.249-257</ispartof><rights>The Author(s) 2019</rights><rights>Copyright Springer Nature B.V. 2019</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c363t-7b63fff6d94f2b6dfb53a425dd153350c2eea5794463969af1ea433340cb7b2c3</citedby><cites>FETCH-LOGICAL-c363t-7b63fff6d94f2b6dfb53a425dd153350c2eea5794463969af1ea433340cb7b2c3</cites><orcidid>0000-0003-3149-0957</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s11416-019-00335-w$$EPDF$$P50$$Gspringer$$Hfree_for_read</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s11416-019-00335-w$$EHTML$$P50$$Gspringer$$Hfree_for_read</linktohtml><link.rule.ids>314,776,780,27903,27904,41467,42536,51297</link.rule.ids></links><search><creatorcontrib>Pham, Duy-Phuc</creatorcontrib><creatorcontrib>Vu, Duc-Ly</creatorcontrib><creatorcontrib>Massacci, Fabio</creatorcontrib><title>Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques</title><title>Journal of Computer Virology and Hacking Techniques</title><addtitle>J Comput Virol Hack Tech</addtitle><description>With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.</description><subject>Computer Science</subject><subject>Malware</subject><subject>Original Paper</subject><issn>2263-8733</issn><issn>2263-8733</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>C6C</sourceid><recordid>eNp9UMtOwzAQtBBIVKU_wMkSZ4PttZ2GW1XxkloVCThbjmNDSpoUOyXq3-MSJDhx2Yd2ZnZ3EDpn9JJRml1FxgRThLKcUAogSX-ERpwrINMM4PhPfYomMa4ppYzLaabkCD0ujSUzsjT1Nd4Yu3pKse5NcNg0pt7HKmIfzMb1bXjHwaW-M02HuzbNuwq7TxOrtsGds29N9bFz8QydeFNHN_nJY_Rye_M8vyeL1d3DfLYgFhR0JCsUeO9VmQvPC1X6QoIRXJYlk-kFarlzRma5EApylRvPnBEAIKgtsoJbGKOLQXcb2sPeTq_bXUg3R82BKSElUJFQfEDZ0MYYnNfbUG1M2GtG9cE8PZink3n62zzdJxIMpJjAzasLv9L_sL4ACZJyFw</recordid><startdate>20191201</startdate><enddate>20191201</enddate><creator>Pham, Duy-Phuc</creator><creator>Vu, Duc-Ly</creator><creator>Massacci, Fabio</creator><general>Springer Paris</general><general>Springer Nature B.V</general><scope>C6C</scope><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0003-3149-0957</orcidid></search><sort><creationdate>20191201</creationdate><title>Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques</title><author>Pham, Duy-Phuc ; Vu, Duc-Ly ; Massacci, Fabio</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c363t-7b63fff6d94f2b6dfb53a425dd153350c2eea5794463969af1ea433340cb7b2c3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science</topic><topic>Malware</topic><topic>Original Paper</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Pham, Duy-Phuc</creatorcontrib><creatorcontrib>Vu, Duc-Ly</creatorcontrib><creatorcontrib>Massacci, Fabio</creatorcontrib><collection>Springer Nature OA Free Journals</collection><collection>CrossRef</collection><jtitle>Journal of Computer Virology and Hacking Techniques</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Pham, Duy-Phuc</au><au>Vu, Duc-Ly</au><au>Massacci, Fabio</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques</atitle><jtitle>Journal of Computer Virology and Hacking Techniques</jtitle><stitle>J Comput Virol Hack Tech</stitle><date>2019-12-01</date><risdate>2019</risdate><volume>15</volume><issue>4</issue><spage>249</spage><epage>257</epage><pages>249-257</pages><issn>2263-8733</issn><eissn>2263-8733</eissn><abstract>With macOS increasing popularity, the number, and variety of macOS malware are rising as well. Yet, very few tools exist for dynamic analysis of macOS malware. In this paper, we propose a macOS malware analysis framework called Mac-A-Mal. We develop a kernel extension to monitor malware behavior and mitigate several anti-evasion techniques used in the wild. Our framework exploits the macOS features of XPC service invocation that typically escape traditional mechanisms for detection of children processes. Performance benchmarks show that our system is comparable with professional tools and able to withstand VM detection. By using Mac-A-Mal, we discovered 71 unknown adware samples (8 of them using valid distribution certificates), 2 keyloggers, and 1 previously unseen trojan involved in the APT32 OceanLotus.</abstract><cop>Paris</cop><pub>Springer Paris</pub><doi>10.1007/s11416-019-00335-w</doi><tpages>9</tpages><orcidid>https://orcid.org/0000-0003-3149-0957</orcidid><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 2263-8733 |
| ispartof | Journal of Computer Virology and Hacking Techniques, 2019-12, Vol.15 (4), p.249-257 |
| issn | 2263-8733 2263-8733 |
| language | eng |
| recordid | cdi_proquest_journals_2316455304 |
| source | Alma/SFX Local Collection; SpringerLink Journals - AutoHoldings |
| subjects | Computer Science Malware Original Paper |
| title | Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-25T19%3A19%3A29IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Mac-A-Mal:%20macOS%20malware%20analysis%20framework%20resistant%20to%20anti%20evasion%20techniques&rft.jtitle=Journal%20of%20Computer%20Virology%20and%20Hacking%20Techniques&rft.au=Pham,%20Duy-Phuc&rft.date=2019-12-01&rft.volume=15&rft.issue=4&rft.spage=249&rft.epage=257&rft.pages=249-257&rft.issn=2263-8733&rft.eissn=2263-8733&rft_id=info:doi/10.1007/s11416-019-00335-w&rft_dat=%3Cproquest_cross%3E2316455304%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2316455304&rft_id=info:pmid/&rfr_iscdi=true |