Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This asymmetric: harder more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek redress this imbalance. Most of time, black need only make incremental changes evade them. On occasion, white disruptive move find new technique that forces work harder. Examples include system calls, signatures machine learning. present method, called Hothouse, combines simulation search accelerate hat’s ability counter moves, thereby forcing perform moves often. To realise we evolve EEE, an entropy-based polymorphic packer Windows executables. Playing role hat, EEE uses evolutionary computation disrupt creation malware signatures. enter into with VirusTotal, most prominent cloud service running anti-virus tools on software. During our 6 month study, continually improved response eventually learning produces packed whose evasiveness goes from initial 51.8% median 19.6%. report both how well VirusTotal learns detect EEE-packed binaries forgets order reduce positives. VirusTotal’s learn forget fast, actually about 3 days. also show focuses its efforts, by analysing EEE’s variants.