Abstract
Malware detection and prevention is critical for the protection of computing systems across the Internet. The problem in detecting malware is that they evolve over a period of time and hence, traditional signature-based malware detectors fail to detect obfuscated and previously unseen malware executables. However, as malware evolves, some semantics of the original malware are preserved as these semantics are necessary for the effectiveness of the malware. Using this observation, we present a novel method for detection of malware using the correlation between the semantics of the malware and its API calls. We construct a base signature for an entire malware class rather than for a single specimen of malware. Such a signature is capable of detecting even unknown and advanced variants that belong to that class. We demonstrate our approach on some well known malware classes and show that any advanced variant of the malware class is detected from the base signature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Pietrek, M.: An In-Depth Look into the Win32 Portable Executable File Format, in MSDN Magazine (March 2002)
VX Heavens, http://vx.netlux.org
Viruslist.com - Email-Worm.Win32.Borzella, http://www.viruslist.com/en/viruses/encyclopedia?virusid=21991
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-Aware Malware Detection. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 08-11, 2005, pp. 32–46 (2005)
Marinescu, A.: An Analysis of Simile, http://www.securityfocus.com/infocus/1671
Sokal, R.R., Rohlf, F.J.: Biometry: The principles and practice of statistics in biological research, 3rd edn. Freeman, New York (1994)
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL (December 2007)
Guilfanov, I.: An Advanced Interactive Multi-processor Disassembler (2000), http://www.datarescue.com
Ferrie, P., Ször, P.: Zmist opportunities. Virus Bullettin (2001)
Bilar, D.: Statistical Structures: Tolerant Fingerprinting for Classification and Analysis given at BH 2006, Las Vegas, NV. Blackhat Briefings USA (August 2006)
Cohen, F.: Computer Virus: Theory and experiments. Computers and Security 6, 22–35 (1987)
Chess, D.M., White, S.R.: An undetectable computer virus. In: Proceedings of Virus Bulletin Conference (2000)
Landi, N.: Undecidability of static analysis. ACM Letters on Programming Language and systems (LOPLAS) 1(4), 323–337 (1992)
Myres, E.M.: A precise interprocedural data flow algorithm. In: Conference Record of the 8th Annual ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL 1981), pp. 219–230. ACM Press, New York (1981)
Christodorescu, M., Jha, S.: Static Anlaysis of Executables to Detect Malicious Patterns. In: Proceeding of the 12th USENIX Security Symp (Security 2003), pp. 169–186 (August 2003)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of USENIX Security, San Diego, CA, pp. 255–270 (August 2004)
Christodorescu, M., Jha, S., Krugel, C.: Mining Specification of Malicious Behavior. In: Proceeding of the 6th joint meeting of the European Software Engineering Conference. ACM SIGSOFT Symp. On ESES/FSE 2007 (2007)
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static Detection of Malicious Code in Executable Programs. In: Symposium on Requirements Engineering for Information Security (SREIS 2001) (2001)
Zhang, B., Yin, J., Hao, J.: Using Fuzzy Pattern Recognition to Detect Unknown Malicious Executables Code. In: Wang, L., Jin, Y. (eds.) Fuzzy Systems and Knowledge Discovery. LNCS (LNAI), vol. 3613, pp. 629–634. Springer, Heidelberg (2005)
Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions on Dependable and Secure Computing (TDSC)Â 4(2) (April-June, 2007)
Bergeron, J., Debbabi, M., Erhioui, M.M., Ktari, B.: Static Analysis of Binary Code to Isolate Malicious Behaviors. In: Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, June 16-18, 1999, pp. 184–189 (1999)
Sun, H.-M., Lin, Y.-H., Wu, M.-F.: API Monitoring System for Defeating Worms and Exploits in MS-Windows System. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058. Springer, Heidelberg (2006)
Jesse, C., Rabek, R., Khazan, I., Scott, M., Robert, L., Cunningham, K.: Detection of Injected, Dynamically Generated,and Obfuscated Malicious Code. In: Proc. of 2003 ACM workshop on Rapid Malcode (October 2003)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy 1996 (1996)
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: IEEE Symposium on Security and Privacy (2001)
Peisert, S., Bishop, M., Karin, S., Marzullo, K.: Analysis of Computer Intrusions Using Sequences of Function Calls. IEEE Transactions On Dependable and Secure Computing 4(2) (April-June, 2007)
Zhang, Q., Reeves, D.S.: MetaAware: Identifying Metamorphic Malware. In: Choi, L., Paek, Y., Cho, S. (eds.) ACSAC 2007. LNCS, vol. 4697, Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sathyanarayan, V.S., Kohli, P., Bruhadeshwar, B. (2008). Signature Generation and Detection of Malware Families. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_25
Download citation
DOI: https://doi.org/10.1007/978-3-540-70500-0_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69971-2
Online ISBN: 978-3-540-70500-0
eBook Packages: Computer ScienceComputer Science (R0)