On the Effectiveness of Perturbations in Generating Evasive Malware Variants.

Malware variants are generated using various evasion techniques to bypass malware detectors, so it is important to understand what properties make them evade malware detection techniques. To do this, a framework is proposed to effectively generate fully-working, unseen malware samples on Windows portable executable (PE) files with various perturbations such as code obfuscation and benign Section addition. Using this framework, we were able to bypass various commercial anti-malware solutions (e.g., BitDefender, AVG, Kaspersky, and Avast) using the generated malware variants, with up to 86% more evasiveness than the original malware samples, and up to 28% more evasive compared with our previously proposed solution FUMVar. Our results are useful in terms of improving malware detection techniques, by analyzing different perturbations and their effectiveness, which leads to a better understanding of how malware variants could be generated that are more evasive and which malware categories they belong to. We found that the most effective perturbation is the code obfuscation using XOR- the malware variants generated by the code obfuscation can evade the detection of 28 anti-malware engines on average. Therefore, our experimental results and observations would be useful to develop anti-malware solutions that would be effective in detecting malware variants that have not been seen previously.