Article

Detecting self-mutating malware using control-flow graph matching

Authors:

Danilo Bruschi,

Lorenzo Martignoni,

Mattia MongaAuthors Info & Claims

DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

Pages 129 - 143

https://doi.org/10.1007/11790754_8

Published: 13 July 2006 Publication History

Abstract

Next generation malware will by be characterized by the intense use of polymorphic and metamorphic techniques aimed at circumventing the current malware detectors, based on pattern matching. In order to deal with this new kind of threat, novel techniques have to be devised for the realization of malware detectors. Recent papers started to address such an issue and this paper represents a further contribution in such a field. More precisely in this paper we propose a strategy for the detection of metamorphic malicious code inside a program P based on the comparison of the control flow graphs of P against the set of control flow graphs of known malware. We also provide experimental data supporting the validity of our strategy

References

[1]

Boomerang. http://boomerang.sourceforge.net

[2]

MetaPHOR. http://securityresponse.symantec.com/avcenter/venc/data/ w32.simile.html

[3]

A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques and Tools. Addison-Wesley, 1986

Digital Library

[4]

C. Associates. Security advisor center glossary. http://www3.ca.com/securityadvisor/glossary.aspx

[5]

D. Bruschi, L. Martignoni, and M. Monga. Using code normalization for fighting self-mutating malware. In Proceedings od the International Symposium of Secure Software Engineering, Arlington, VA, 2006. IEEE Computer Society

[6]

D. M. Chess and S. R. White. An undetectable computer virus. In Proceedings of Virus Bulletin Conference, Sept. 2000

[7]

M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of USENIX Security Symposium, Aug. 2003

Digital Library

[8]

M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004), pages 34-44, Boston, MA, USA, July 2004. ACM Press

Digital Library

[9]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semanticsaware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland 2005), Oakland, CA, USA, May 2005

Digital Library

[10]

F. B. Cohen. A Short Course on Computer Viruses. Wiley Professional Computing, 1994

Digital Library

[11]

C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997

[12]

S. K. Debray, W. Evans, R. Muth, and B. D. Sutter. Compiler techniques for code compaction. ACM Trans. Program. Lang. Syst., 22(2):378-415, 2000

Digital Library

[13]

P. Ferrie and P. Ször. Zmist opportunities. Virus Bullettin, March 2001

[14]

P. Foggia. The VFLib graph matching library, version 2.0. http://amalfi.dis.unina.it/graph/db/vflib-2.0/

[15]

A. Kapoor. An approach towards disassembly of malicious binaries. Master's thesis, University of Louisiana at Lafayette, 2004

[16]

C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In International Symposium on Recent Advances in Intrusion Detection, 2005

Digital Library

[17]

C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of USENIX Security 2004, pages 255-270, San Diego, CA, August 2004

Digital Library

[18]

A. Lakhotia, E. U. Kumar, and M. Venable. A method for detecting obfuscated calls in malicious binaries. Software Engineering, IEEE Transactions on, 31(11):955-968, 2005

Digital Library

[19]

C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290-299, New York, NY, USA, 2003. ACM Press

Digital Library

[20]

S. S. Muchnick. Advanced compiler design and implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1997

Digital Library

[21]

J. Newsome, B. Karp, and D. X. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, pages 226-241, 2005

Digital Library

[22]

S. Pearce. Viral polymorphism. Sans Institute, 2003

[23]

P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of Virus Bulletin Conference, Sept. 2001

Cited By

Eom HKim DLim SKoo HHwang S(2024)R2I: A Relative Readability Metric for Decompiled CodeProceedings of the ACM on Software Engineering10.1145/36437441:FSE(383-405)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643744
Corlătescu DDinu AGăman MSumedrea POh ANaumann TGloberson ASaenko KHardt MLevine S(2023)EMBERSimProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3667283(26722-26743)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3666122.3667283
Priyadarshan SNguyen HSekar RAamodt TSwift MJerger N(2023)Accurate Disassembly of Complex Binaries Without Use of Compiler MetadataProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624766(1-18)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624766
Show More Cited By

Recommendations

Malware detection using assembly code and control flow graph optimization
A2CWiC '10: Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India

Malware detection is a crucial aspect of software security. A malware detector is a system that attempts to determine whether a program has malicious intent. Current malware detectors work by checking for signatures, which attempt to capture the ...
Detecting Obfuscated JavaScript Malware Using Sequences of Internal Function Calls
ACM SE '14: Proceedings of the 2014 ACM Southeast Regional Conference

Web browsers are often used as a popular means for compromising Internet hosts. An attacker may inject a JavaScript malware into a web page. When a victim visits this page, the malware is executed and attempts to exploit a specific browser vulnerability ...
Detecting malware based on DNS graph mining
Special issue on Big Data in Future Sensing

Malware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

July 2006

194 pages

ISBN:354036014X

Editors:
Roland Büschkes
RWE AG, Opernplatz 1, Essen, Germany
,
Pavel Laskov
Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Opernplatz 1, Tübingen, Germany

Sponsors

Runs: Runs
McAfee: McAfee
Symantec: Symantec
Techonologiestiftung Berlin: Techonologiestiftung Berlin

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 July 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Eom HKim DLim SKoo HHwang S(2024)R2I: A Relative Readability Metric for Decompiled CodeProceedings of the ACM on Software Engineering10.1145/36437441:FSE(383-405)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643744
Corlătescu DDinu AGăman MSumedrea POh ANaumann TGloberson ASaenko KHardt MLevine S(2023)EMBERSimProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3667283(26722-26743)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3666122.3667283
Priyadarshan SNguyen HSekar RAamodt TSwift MJerger N(2023)Accurate Disassembly of Complex Binaries Without Use of Compiler MetadataProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624766(1-18)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624766
Benoit TMarion JBardin SChandra SBlincoe KTonella P(2023)Scalable Program Clone Search through Spectral AnalysisProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616279(808-820)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616279
Mansur MWüstholz VChristakis MJust RFraser G(2023)Dependency-Aware Metamorphic Testing of Datalog EnginesProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598052(236-247)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598052
Kim HBak JCho KKoo H(2023)A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary ReversingProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582823(951-965)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582823
Ahn SAhn SKoo HPaek Y(2022)Practical Binary Code Similarity Detection with BERT-based Transferable Similarity LearningProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567975(361-374)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567975
Weideman NWang HKann TZahabizadeh SWu WTandon RMirkovic JHauser C(2022)Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary ExecutablesProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545967(276-291)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545967
Abusnaina AAnwar AAlshamrani SAlabduljabbar AJang RNyang DMohaisen D(2022)Systematically Evaluating the Robustness of ML-based IoT Malware Detection SystemsProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545960(308-320)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545960
Touili TYe X(2022)SMODIC: A Model Checker for Self-modifying CodeProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538978(1-6)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3538978
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents