Coding Malware in Fancy Programming Languages for Fun and Profit

Theodoros Apostolopoulos; Vasilios Koutsokostas; Nikolaos Totosis; Constantinos Patsakis; Georgios Smaragdakis

doi:10.1145/3714393.3726506

Coding Malware in Fancy Programming Languages for Fun and Profit

Theodoros Apostolopoulos, Vasilios Koutsokostas, Nikolaos Totosis, Constantinos Patsakis, Georgios Smaragdakis

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

11 Downloads (Pure)

Abstract

The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.
In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.

Original language	English
Title of host publication	CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy
Place of Publication	New York, NY
Publisher	Association for Computing Machinery (ACM)
Pages	18-29
Number of pages	12
ISBN (Electronic)	9798400714764
DOIs	https://doi.org/10.1145/3714393.3726506
Publication status	Published - 2025
Event	15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025 - Pittsburgh, United States Duration: 4 Jun 2025 → 6 Jun 2025

Publication series

Name	CODASPY '25
Publisher	ACM

Conference

Conference	15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025
Country/Territory	United States
City	Pittsburgh
Period	4/06/25 → 6/06/25

Keywords

compilers
evasion
malware
programming languages

Access to Document

10.1145/3714393.3726506

3714393.3726506Final published version, 1.52 MBLicence: CC BY

Cite this

@inproceedings{600de669aa6b4f75b546c9a104afeadd,

title = "Coding Malware in Fancy Programming Languages for Fun and Profit",

abstract = "The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.",

keywords = "compilers, evasion, malware, programming languages",

author = "Theodoros Apostolopoulos and Vasilios Koutsokostas and Nikolaos Totosis and Constantinos Patsakis and Georgios Smaragdakis",

year = "2025",

doi = "10.1145/3714393.3726506",

language = "English",

series = "CODASPY '25",

publisher = "Association for Computing Machinery (ACM)",

pages = "18--29",

booktitle = "CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy",

address = "United States",

note = "15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025 ; Conference date: 04-06-2025 Through 06-06-2025",

}

Apostolopoulos, T, Koutsokostas, V, Totosis, N, Patsakis, C & Smaragdakis, G 2025, Coding Malware in Fancy Programming Languages for Fun and Profit. in CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. CODASPY '25, Association for Computing Machinery (ACM), New York, NY, pp. 18-29, 15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025, Pittsburgh, United States, 4/06/25. https://doi.org/10.1145/3714393.3726506

Coding Malware in Fancy Programming Languages for Fun and Profit. / Apostolopoulos, Theodoros; Koutsokostas, Vasilios; Totosis, Nikolaos et al.
CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. New York, NY: Association for Computing Machinery (ACM), 2025. p. 18-29 (CODASPY '25).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Coding Malware in Fancy Programming Languages for Fun and Profit

AU - Apostolopoulos, Theodoros

AU - Koutsokostas, Vasilios

AU - Totosis, Nikolaos

AU - Patsakis, Constantinos

AU - Smaragdakis, Georgios

PY - 2025

Y1 - 2025

N2 - The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.

AB - The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.

KW - compilers

KW - evasion

KW - malware

KW - programming languages

UR - http://www.scopus.com/inward/record.url?scp=105011358665&partnerID=8YFLogxK

U2 - 10.1145/3714393.3726506

DO - 10.1145/3714393.3726506

M3 - Conference contribution

T3 - CODASPY '25

SP - 18

EP - 29

BT - CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery (ACM)

CY - New York, NY

T2 - 15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025

Y2 - 4 June 2025 through 6 June 2025

ER -

Coding Malware in Fancy Programming Languages for Fun and Profit

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this