Abstract
Nowadays computer viruses become more and more difficult to be identified. Modern computer viruses use various mutation techniques such as polymorphism and metamorphism to evade detection. Previous researches in mutated computer virus detection have limitations in that: 1) most of them cannot handle advanced mutation techniques; 2) the methods based on source code analysis are less practical. 3) some methods are unable to detect computer viruses immediately. In this paper, we present a new dynamic approach to detect and analyze computer viruses based on Virtual Machine technology. We show that 1) how to generate Purpose Capturing Signatures based on the information of runtime values (execution value sequence, EVS) and control flows (execution control sequence, ECS); 2) how to detect and analyze computer viruses using the purpose-capturing signatures. To our best knowledge, it is the first method to perform computer virus detection and analysis using the EVS and ECS. Our experimental evaluation demonstrates that this approach is able to use one signature to detect all mutations of the corresponding virus efficiently.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Cohen, F.B.: Operating system protection through program evolution. Computers & Security 12(6) (1993)
Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages (POPL 1998), San Diego, CA, USA (1998)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th. ACM Conference on Computer and Communications Security (CCS 2003), Washingtion DC, USA (2003)
Majumdar, A., Thomborson, C., Drape, S.: A survey of control-flow obfuscations. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 353–356. Springer, Heidelberg (2006)
Popov, I., Debray, S., Andrews, G.: Binary obfuscation using signals. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (Security 2007), Berkeley, CA, USA, pp. 1–6 (2007)
Szor, P., Ferrie, P.: Hunting for metamorphic. In: Proceedings of Virus Bulletin Conference, pp. 123–144 (2001)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA, USA (2008)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic Reverse Engineering of Malware Emulators. In: Proceedings of The 2009 IEEE Symposium on Security and Privacy (Oakland 2009), Oakland, CA, USA (2009)
Detristan, T., Ulenspiegel, T., Malcom, Y., von Underduk, M.S.: Polymorphic shellcode engine using spectrum analysis. Phrack 11(61) (2003), http://www.phrack.org
Mohanty, D.: Anti-virus evasion techniques and countermeasures (2005), http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp
Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2004 (2004)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of USENIX Security Symposium(Security 2003), Washingtion DC, USA (2003)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland 2005), Oakland, CA, USA (2005)
Wroblewski, G.: General method of program code obfuscation. PhD thesis, Institute of Engineering Cybernetics, Wroclaw University of Technology, Wroclaw, Poland (2002)
Brumley, D., Wang, H., Jha, S., Song, D.: Creating Vulnerability Signatures Using Weakest Pre-conditions. In: Proceedings of Computer Security Foundations Symposium, Italy (2007)
Jia, X., Zhang, S., Jing, J., Liu, P.: Using Virtual Machines to Do Cross-Layer Damage Assessment. In: Proceedings of the ACM Workshop on Virtual Machine Security (VMSEC 2008), in association with ACM CCS, Washingtion DC, USA (2008)
Sophos (2009), http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/linux/
Klein, T.: VMware Fingerprint Suite (2008), http://www.trapkit.de/research/vmm/scoopydoo/index.html
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy (Oakland 2007), pp. 231–245 (2007)
Bonfante, G., Kaczmarek, M., Marion, J.: Architecture of a Morphological Malware Detector. Journal in Computer Virology 5(3), 263–270 (2008)
Bonfante, G., Kaczmarek, M., Marion, J.: Control Flow to Detect Malware. In: Inter-Regional Workshop on Rigorous System Development and Analysis (2007)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241 (2005)
Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems. In: Hack in the Box Security Conference (2005)
Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for spyware management. In: Proceedings of the Large Installation System Administration Conference, LISA 2004 (2004)
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA (2007)
Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic Extraction of Protocal Message Format Using Dynamic Vinary Analysis. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA (2007)
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2009), California, USA (2009)
Revealer (2008), http://www.sysinternals.com/Files/RootkitRevealer.zip
Wang, Y., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jia, X., Xiong, X., Jing, J., Liu, P. (2010). Using Purpose Capturing Signatures to Defeat Computer Virus Mutating. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds) Information Security, Practice and Experience. ISPEC 2010. Lecture Notes in Computer Science, vol 6047. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12827-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-12827-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12826-4
Online ISBN: 978-3-642-12827-1
eBook Packages: Computer ScienceComputer Science (R0)