Using engine signature to detect metamorphic malware

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Using engine signature to detect metamorphic malware

Full text

Pdf (285 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 4th ACM workshop on Recurring malcode table of contents

Alexandria, Virginia, USA

SESSION: Modeling table of contents

Pages: 73 - 78

Year of Publication: 2006

ISBN:1-59593-551-9

Authors

Mohamed R. Chouchane	University of Louisiana at Lafayette
Arun Lakhotia	University of Louisiana at Lafayette

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 121, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1179542.1179558 What is a DOI?

ABSTRACT

This paper introduces the "engine signature" approach to assist in detecting metamorphic malware by tracking it to its engine. More specifically, it presents and evaluates a code scoring technique for collecting forensic evidence from x86 code segments in order to get some measure of how likely they are to have been generated by some known instruction-substituting metamorphic engine. A prototype simulator that mimics real instruction-substituting metamorphic engines was implemented and used to conduct several experiments that evaluate the goodness of the scoring technique for given engine parameters. The technique was also used to successfully help track variants of W32.Evol to their engine.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Brushi, D., Martignoni, L., and Monga, M. Using Code Normalization for Fighting Self-Mutating Malware. In Proceedings of the International Symposium of Secure Software Engineering (Arlington, VA, 2006).
	2	Chess, D. M., and White, S. R. An Undetectable Computer Virus. In Proceedings of Virus Bulletin Conference (2000).
	3	Cohen, F. Computational Aspects of Computer Viruses. Computers & Security, 8 (1989), 325--344.
	4	Mihai Christodorescu , Somesh Jha , Sanjit A. Seshia , Dawn Song , Randal E. Bryant, Semantics-Aware Malware Detection, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.32-46, May 08-11, 2005 [doi>10.1109/SP.2005.20]
	5	Karim, M. E., Walenstein, A., Lakhotia, A., and Parida, L. Malware Phylogeny Generation using Permutations of Code. European Research Journal of Computer Virology 1, 1-2 (Nov. 2005) 13--23.
	6	Krsul, I., Spafford, E. H. Authorship Analysis: Identifying The Author of a Program. Technical Report 96--052, 1996.
	7	Kruegel, C., Kirda, E., Mutz, D., Robertson, W., and Vigna, G. Polymorphic Worm Detection Using Structural Information of Executables. In Proceedings of the 8 th Symposium on Recent Advances in Intrusion Detection (RAID) (Seattle, WA, USA, September 7-9, 2005).
	8	Spinellis, D. Reliable Identification of Bounded-Length Viruses is NP-Complete. IEEE Transactions on Information Theory, 49, 1 (2003), 280--284.
	9	Peter Szor, The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005
	10	Andrew Walenstein , Rachit Mathur , Mohamed R. Chouchane , Arun Lakhotia, Normalizing Metamorphic Malware Using Term Rewriting, Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation (SCAM'06), p.75-84, September 27-29, 2006 [doi>10.1109/SCAM.2006.20]