hngopher.com

       [HN Gopher] Phantom Malware: Conceal malicious actions  by imita...
       ___________________________________________________________________
        
       Phantom Malware: Conceal malicious actions  by imitating user
       activity
        
       Author : MalwareGuy
       Score  : 65 points
       Date   : 2021-01-31 18:04 UTC (4 hours ago)
        
 (HTM) web link (ieeexplore.ieee.org)
 (TXT) w3m dump (ieeexplore.ieee.org)
        
       | rychco wrote:
       | The author also created a video demonstrating a PoC
       | https://youtu.be/uf08omKOoxY
        
       | sabas123 wrote:
       | Imitating users to avoid detection isn't really a new technique
        
         | dang wrote:
         | Submitted title was "New powerful malware obfuscation
         | technique". Submitters: please don't do that. The site
         | guidelines ask: " _Please use the original title, unless it is
         | misleading or linkbait; don 't editorialize._"
         | 
         | https://news.ycombinator.com/newsguidelines.html
         | 
         | We've changed the title above to the article title now
         | (shortened to squeeze into HN's 80 char title limit.)
        
       | unnouinceput wrote:
       | All these techniques are based on the malicious software already
       | having access to the system. As Raymond said "you're already on
       | the other side of airtight door".
       | 
       | Perhaps instead of relying on antivirus/antimalware programs to
       | protect you, better educate the user. In no future time will ever
       | exists a program that will be 100% idiot proof ("the Universe
       | will always come with a better idiot" - quote from somebody way
       | smarter than me)
        
         | px43 wrote:
         | Or maybe instead of educating the users we should be educating
         | the criminals so they can get paid to work on more productive
         | things. Lots of solutions here.
        
           | etiam wrote:
           | I like the basic idea, but at least if educating is to be
           | understood as imparting trade knowledge and/or skills I
           | seriously doubt if that particular deficit is what keeping
           | most of those people off the straight and narrow.
        
       | px43 wrote:
       | Unless you're using publicly available malware that is known to
       | be used for crime, AV isn't going to detect anything. That's how
       | it works, and that's how it has to work.
       | 
       | I haven'y fully read through the paper, but it doesn't look much
       | different than what attackers have been doing with compiled
       | AutoIT binaries for decades.
       | 
       | If it's on Github I'd be interested in looking at the code. If
       | not it seems like just another academic paper misunderstanding
       | the real problems faced by both attackers and defenders.
        
         | teilo wrote:
         | Next-gen AV does not rely on signatures to detect malware so
         | much as heuristics on steroids. I am especially familiar with
         | SentinelOne. It can detect 0-day ransomeware, for example, as
         | soon as it tries to encrypt files, and stop it in its tracks.
         | Any product that does rely on signatures is useless these days.
        
       ___________________________________________________________________
       (page generated 2021-01-31 23:00 UTC)