Summary
Most current systems to detect malicious code rely on syntactic signatures. More precisely, these systems use a set of byte strings that characterize known malware instances. Unfortunately, this approach is not able to identify previously unknown malicious code for which no signature exists. The problem gets exacerbated when the malware is polymorphic or metamorphic. In this case, different instances of the same malicious code have a different syntactic representation.
In this chapter, we introduce techniques to characterize behavioral and structural properties of binary code. These techniques can be used to generate more abstract, semantically-rich descriptions of malware, and to characterize classes of malicious code instead of specific instances. This makes the specification more robust against modifications of the syntactic layout of the code. Also, in some cases, it allows the detection of novel malware instances.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
L. B. annd E. Luks. Canonical Labeling of Graphs. In 15th ACM Symposium on Theory of Computing, 1983.
R. Jenkins. Hash Functions and Block Ciphers. http://burtleburtle.net/bob/hash/.
G. Kim and E. Spafford. The Design and Implementation of Tripwire: A File System Integrity Checker. Technical report, Purdue University, Nov. 1993.
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating Mimicry Attacks Using Static Binary Analysis. In 14th Usenix Security Symposium, 2005.
C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005.
C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM Conference on Computer and Communications Security (CCS), 2003.
S. Macaulay. ADMmutate: Polymorphic Shellcode Engine. http://www.ktwo.ca/security.html.
B. McKay. Nauty: No AUTomorphisms, Yes? http://cs.anu.edu.au/∼bdm/nauty/.
B. McKay. Practical graph isomorphism. Congressus Numerantium, 30, 1981.
T. Miller. Torn rootkit analysis. http://www.ossec.net/rootkits/studies/torn.txt.
T. Miller. Analysis of the KNARK Rootkit. http://www.ossec.net/rootkits/ studies/knark.txt, 2004.
M. Rabin. Fingerprinting by Random Polynomials. Technical report, Center for Research in Computing Techonology, Harvard University, 1981.
D. Safford. The Need for TCPA. IBM White Paper, October 2002.
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In 6th Symposium on Operating System Design and Implementation (OSDI), 2004.
S. Skiena. Implementing Discrete Mathematics: Combinatorics and Graph Theory, chapter Graph Isomorphism. Addison-Wesley, 1990.
Sophos. War of the Worms: Top 10 list of worst virus outbreaks in 2004. http://www.sophos.com/pressoffice/pressrel/uk/20041208yeartopten.html.
Stealth. adore. http://spider.scorpions.net/-stealth, 2001.
Stealth. Kernel Rootkit Experiences and the Future. Phrack Magazine, 11(61), August 2003.
Stealth. adore-ng. http://stealth.7350.org/rootkits/, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Kruegel, C. (2007). Behavioral and Structural Properties of Malicious Code. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)