Their system uses a Raspberry Pi, an H-field probe, which detects electrical or magnetic energy in the field directly around a device under test, and an oscilloscope (a Picoscope 6407) to detect electromagnetic wave signatures of multiple types of viruses. The system is based on the idea that running software generates electromagnetic waves, and that each piece of software generates its own unique wave patterns due to the way the software executes its code.

To test this idea, the researchers began using an H-field probe to capture wave patterns of known computer viruses running on various devices and viewed the results on an oscilloscope. They saw oscilloscope patterns that were unique to individual viruses as they were running.

They then used that information to program a Raspberry Pi to identify data from other devices to recognize known virus wave patterns, using the system as a virus detector. To determine if a virus is running on a computer, IoT device or smartphone, a user places the H-field probe close enough to the device to read the electromagnetic waves that are generated.

The Raspberry Pi then reports on whether it found any viruses, and if so, which ones. Testing found the system capable of detecting 99.82% of generic malware, along with a benign virus type.

“Using our approach,” say the researchers in a paper on their work, “a malware analyst is able to obtain precise knowledge about malware type and identity, even in the presence of obfuscation techniques which may prevent static or symbolic binary analysis.”

The system is notable, say the researchers, because it does not require software installation on the device being tested – detection is done using the external system. It is also notable because it is not susceptible to obfuscation techniques developed by the virus builders to hide its presence.

“Our results show that we are able to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts,” say the researchers.

While such a system is not likely to be sold to consumers, say the researchers, it could very well be used for large applications or servers.

For more, see “Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification.”

Related articles:
‘Funtenna’ hack turns IoT devices into radios



Linked Articles