|
 ABSTRACT
In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing techniques for evaluating them. We present a technique based on program obfuscation for generating tests for malware detectors. Our technique is geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware. We also demonstrate that a hacker can leverage a malware detector's weakness in handling obfuscation transformations and can extract the signature used by a detector for a specific malware. We evaluate three widely-used commercial virus scanners using our techniques and discover that the resilience of these scanners to various obfuscations is very poor.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
|
| |
2
|
K. Brunnstein. "Heureka-2" AntiVirus Tests. Virus Test Center, University of Hamburg, Computer Science Department, Mar. 2002. Published online at http://agn-www.informatik.uni-hamburg.de/vtc/en0203.htm. Last accessed: 16 Jan. 2004.
|
| |
3
|
|
| |
4
|
|
| |
5
|
C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, New Zealand, July 1997.
|
| |
6
|
|
 |
7
|
Christian Collberg , Clark Thomborson , Douglas Low, Manufacturing cheap, resilient, and stealthy opaque constructs, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.184-196, January 19-21, 1998, San Diego, California, United States
[doi> 10.1145/268946.268962]
|
| |
8
|
|
| |
9
|
T. Detristan, T. Ulenspiegel, Y. Malcom, and M. S. von Underduk. Polymorphic shellcode engine using spectrum analysis. Phrack, 11(61), Aug. 2003. Published online at http://www.phrack.org. Last accessed: 16 Jan. 2004.
|
| |
10
|
J. W. Duran and S. C. Ntafos. An evaluation of random testing. IEEE Transactions on Software Engineering, 10(7):438--444, July 1984.
|
| |
11
|
J. E. Forrester and B. P. Miller. An empirical study of the robustness of Windows NT applications using random testing. In Proceedings of the 4th USENIX Windows Systems Symposium, pages 59--68, Seattle, WA, USA, Aug. 2000.
|
| |
12
|
Phyllis Frankl , Dick Hamlet , Bev Littlewood , Lorenzo Strigini, Choosing a testing method to deliver reliability, Proceedings of the 19th international conference on Software engineering, p.68-78, May 17-23, 1997, Boston, Massachusetts, United States
[doi> 10.1145/253228.253244]
|
| |
13
|
S. Gordon and R. Ford. Real world anti-virus product reviews and evaluations -- the current state of affairs. In Proceedings of the 19th National Information Systems Security Conference (NISSC'96), pages 526--538, Baltimore, MD, USA, Oct. 1996. National Institute of Standards and Technology (NIST).
|
| |
14
|
|
| |
15
|
|
| |
16
|
|
| |
17
|
ICSA Labs. Anti-virus product certification. Published online at http://www.icsalabs.com/html/communities/antivirus/certification.shtml. Last accessed: 16 Jan. 2004.
|
| |
18
|
E. Kaspersky. Virus List Encyclopedia, chapter Ways of Infection: Viruses without an Entry Point. Kaspersky Labs, 2002.
|
| |
19
|
LURHQ Threat Intelligence Group. Sobig.a and the spam you received today. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig.html. Last accessed on 16 Jan. 2004.
|
| |
20
|
LURHQ Threat Intelligence Group. Sobig.e -Evolution of the worm. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig-e.html. Last accessed on 16 Jan. 2004.
|
| |
21
|
LURHQ Threat Intelligence Group. Sobig.f examined. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig-f.html. Last accessed on 16 Jan. 2004.
|
| |
22
|
A. Marinescu. Russian doll. Virus Bulletin, pages 7--9, Aug. 2003.
|
| |
23
|
A. Marx. A guideline to anti-malware-software testing. In Proceedings of the 9th Annual European Institute for Computer Antivirus Research Conference (EICAR'00), 2000.
|
| |
24
|
A. Marx. Retrospective testing -- how good heuristics really work. In Proceedings of the 2002 Virus Bulletin Conference (VB2002), New Orleans, LA, USA, Sept. 2002. Virus Bulletin.
|
| |
25
|
McAfee AVERT. Virus information library. Published online at http://us.mcafee.com/virusInfo/default.asp. Last accessed: 16 Jan. 2004.
|
| |
26
|
|
| |
27
|
|
| |
28
|
B. P. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of UNIX utilities and services. Technical Report 1268, University of Wisconsin, Madison, Computer Sciences Department, Madison, WI, USA, Apr. 1995.
|
| |
29
|
|
| |
30
|
|
| |
31
|
|
| |
32
|
Symantec Antivirus Research Center. Expanded threat list and virus encyclopedia. Published online at http://securityresponse.symantec.com/avcenter/venc/data/cih.html. Last accessed: 16 Jan. 2004.
|
| |
33
|
P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of 2001 Virus Bulletin Conference (VB2001), pages 123--144, September 2001.
|
| |
34
|
TESO. Burneye ELF encryption program. Published online at http://teso.scene.at. Last accessed: 15 Jan. 2004.
|
| |
35
|
The WildList Organization International. Frequently asked questions. Published online at http://www.wildlist.org/faq.htm. Last accessed: 16 Jan. 2004.
|
| |
36
|
Virus Bulletin. VB 100% Award. Published online at http://www.virusbtn.com/vb100/about/100use.xml. Last accessed: 16 Jan. 2004.
|
| |
37
|
|
| |
38
|
West Coast Labs. Anti-virus Checkmark level 2. Published online at http://www.check-mark.com/checkmark/pdf/Checkmark_AV1.pdf. Last accessed: 16 Jan. 2004.
|
| |
39
|
West Coast Labs. Anti-virus Checkmark level 2. Published online at http://www.check-mark.com/checkmark/pdf/Checkmark_AV2.pdf. Last accessed: 16 Jan. 2004.
|
| |
40
|
|
| |
41
|
G. Wroblewski. General method of program code obfuscation. PhD thesis, Institute of Engineering Cybernetics, Wroclaw University of Technology, Wroclaw, Poland, 2002.
|
| |
42
|
z0mbie. Automated reverse engineering: Mistfall engine. Published online at http://z0mbie.host.sk/autorev.txt. Last accessed: 16 Jan. 2004.
|
| |
43
|
z0mbie. z0mbie's homepage. Published online at http://z0mbie.host.sk. Last accessed: 16 Jan. 2004.
|
CITED BY 3
|
|
Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
|
|
|
|
|
|
|
Peer to Peer - Readers of this Article have also read:
-
Data structures for quadtree approximation and compression
Communications of the ACM
28, 9
Hanan Samet
-
A hierarchical single-key-lock access control using the Chinese remainder theorem
Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
Kim S. Lee
, Huizhu Lu
, D. D. Fisher
-
The GemStone object database management system
Communications of the ACM
34, 10
Paul Butterworth
, Allen Otis
, Jacob Stein
-
Putting innovation to work: adoption strategies for multimedia communication systems
Communications of the ACM
34, 12
Ellen Francik
, Susan Ehrlich Rudman
, Donna Cooper
, Stephen Levine
-
An intelligent component database for behavioral synthesis
Proceedings of the 27th ACM/IEEE conference on Design automation
Gwo-Dong Chen
, Daniel D. Gajski
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.2