Abstract
This paper presents a decomposition of virus and worm programs based on their core functional components. The decomposition yields of a catalogue of six functions performed by such malicious programs and a classification of various ways these functions are implemented. The catalogue and classification provide a foundation to improve current reactive technologies for virus detection and to develop new proactive technologies for the same. Current state-of-the-art, reactive technologies identify malicious programs by matching signatures, sequences of bits, collected from previously infected documents. The catalogue presented may be used to train engineers into what to “look for" when studying infected documents to extract signatures, to concisely document how various viruses’ work, and to exchange this information with other engineers, thus speeding up signature discovery. The catalogue may also be used to develop automatic recognizers using program pattern recognition techniques. When generalized these recognizers can identify new, though related viruses, without any new signature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bishop, M.: A critical Analysis of vulnerability Taxonomies. Technical Report 96-11. Department of Computer Science. University of California at Davis, April 19 (2001)
Bontchev, V.V.: Extracting Word Macros. Personal Communication, March 17 (2002)
Bontchev, V.V.: Number of Signatures per Anti-virus software. Personal Communication, March 18 (2002)
Bontchev, V.V.: Methodology of Computer Anti-Virus Research. PhD dissertation. University of Hamburg, Hamburg (1998)
Bontchev, V.V.: Possible Macro Virus Attacks and how to prevent them. In: Proceedings of the 6th Virus Bulletin Conference, Brighton/UK, Virus Bulletin Ltd., Oxfordshire, England (September 1996)
Chess, D.M.: Virus Verification and Removal Tools and Techniques, November 18 (1991), http://www.research.ibm.com/antivirus/SciPapers/Chess/CHESS3/chess3.html
Cifuentes, C.: Reverse compilation techniques. PhD dissertation, Queensland University of technology (1994)
Cohen, F.: A Short Course in Computer Viruses. John Wiley and Sons, Chichester (1994)
Cohen, F.: Computer Virus. PhD dissertation. Department of Computer Science. University of Southern California (1985)
Cohen, F.: Computer Viruses-Theory and Experiments. Computers and Security 6(1), 22–35 (1984)
Eichin, M.W., Rochlis, J.A.: With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. In: Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy (1989)
Fyoder. Remote OS detection via TCP/IP Stack FingerPrinting, October 18 (1998), http://www.insecure.org/nmap/nmap-fingerprinting-article.txt
Group, H.R.: The Honeynet Project (2001), http://www.honeynet.org
Howard, J.D.: An Analysis of Security Incidents on the Internet. PhD Dissertation. Carnegie Mellon University (1997), http://www.cert.org/research/JHThesis/Start.html
Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of securitycritical programs in distributed systems: a specification-based Approach. In: Proc. IEEE Symposium on Security and Privacy (1997)
Kumar, S., Spafford, E.H.: Generic Virus Scanner in C++. In: Proceedings of the 8th Computer Security Applications Conference, December 2-4 (1992)
Microsoft-MSDN. Using Script Encoder. MSDN (2002), http://msdn.microsoft.com
Moore, D.: The Spread of the Code-Red Worm (CRv2). CAIDA (2001), http://www.caida.org
Morris, R.T.: A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report Computer Science #117. AT&T Bell Labs (1985)
Heavens, V.X.: Virus Creation Tools (2002), http://vx.netlux.org/dat/vct.shtml
Pethia, R.: The Melissa Virus: Inoculating our Information Technology from Emerging Threats. Testimony of Richard Pethia (1999), http://www.cert.org/congressional_testimony/pethia9904.html
Porras, P.A.: Virology Lecture Notes (2002), http://www.tulane.edu/~dmsander/WWW/224/224Virology.html
Fridrik Skulason, A.S., Bontchev, V.: A New Virus Naming Convention. CARO meeting (1991), http://vx.netlux.org/lib/asb01.html
Spafford, E.H.: Computer Viruses as Artificial Life. Artificial Life 1(3), 249–265 (1994)
Spafford, E.H.: The Internet Worm Program: An Analysis. ACM Computer 19(1), 17–57 (1989)
Weaver, N.: Potential Strategies for High Speed Active Worms: A worst Case Analysis (2002), http://www.cs.berkeley.edu/~nweaver
Merriam-Webster’s Collegiate Dictionary. 10th Index edn. International Thomson Publishing (1998) ISBN: 0877797099
The WildList FAQ. The WildList Organization International (2001), http://www.wildlist.org/faq.htm
Witten, I.H., Thimbleby, H.W., Coulouris, G.F., Greenberg, S.: Liveware: A new approach to sharing data in social networks. International Journal of Man-Machine Studies (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Murthy, J.K. (2003). A Functional Decomposition of Virus and Worm Programs. In: Qing, S., Gollmann, D., Zhou, J. (eds) Information and Communications Security. ICICS 2003. Lecture Notes in Computer Science, vol 2836. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39927-8_37
Download citation
DOI: https://doi.org/10.1007/978-3-540-39927-8_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20150-2
Online ISBN: 978-3-540-39927-8
eBook Packages: Springer Book Archive