Journal in Computer Virology

, Volume 2, Issue 1, pp 79–85 | Cite as

Anti-disassembly using Cryptographic Hash Functions

  • John AycockEmail author
  • Rennie deGraaf
  • Michael JacobsonJr
Original Paper


Computer viruses sometimes employ coding techniques intended to make analysis difficult for anti-virus researchers; techniques to obscure code to impair static code analysis are called anti-disassembly techniques. We present a new method of anti-disassembly based on cryptographic hash functions which is portable, hard to analyze, and can be used to target particular computers or users. Furthermore, the obscured code is not available in any analyzable form, even an encrypted form, until it successfully runs. The method’s viability has been empirically confirmed. We look at possible countermeasures for the basic anti-disassembly scheme, as well as variants scaled to use massive computational power.


Code armoring Reverse-engineering Virus Disassembly Hash function 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho A.V., Corasick M.J. (1975). Efficient string matching: an aid to bibliographic search. Commun ACM 18(6):333–340CrossRefzbMATHMathSciNetGoogle Scholar
  2. 2.
    Aycock J. (2003). A brief history of just-in-time. ACM Comput Surv 35(2):97–113CrossRefGoogle Scholar
  3. 3.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: USENIX SRUTI Workshop, 2005Google Scholar
  4. 4.
    Secure, F.: F-Secure virus descriptions: Hybris, 2001. Scholar
  5. 5.
    Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: The Bradley virus. In: Proceedings of the 14th Annual EICAR Conference, pp. 216–227 (2005)Google Scholar
  6. 6.
    Electronic Frontier Foundation. Cracking DES: secrets of encryption research, wiretap politics, and chip design. O’Reilly, 1998Google Scholar
  7. 7.
    Joshi, R., Nelson, G., Randall, K.: Denali: a goal-directed superoptimizer. In: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pp. 304–314, 2002Google Scholar
  8. 8.
    Krakowicz. Krakowicz’s kracking korner: The basics of kracking II, c. 1983. Scholar
  9. 9.
    Lo R.W., Levitt K.N., Olsson R.A. (1995). MCF: a malicious code filter. Comput Security 14:541–566CrossRefGoogle Scholar
  10. 10.
    Massalin, H.: Superoptimizer: a look at the smallest program. In: Proceedings of the Second International Conference on Architectual Support for Programming Languages and Operating Systems, pp. 122–126, 1987Google Scholar
  11. 11.
    Riordan, J., Schneier, B.: Environmental key generation towards clueless agents. In: Mobile Agents and Security (LNCS 1419), pp. 15–24, 1998Google Scholar
  12. 12.
    Rivest, R.: The MD5 message-digest algorithm. RFC 1321, 1992Google Scholar
  13. 13.
    Schneier B. (1996). Applied cryptography, 2nd edn. Wiley, New YorkGoogle Scholar
  14. 14.
    Szor P. (2005). The art of computer virus research and defense. Addison-Wesley, ReadingGoogle Scholar
  15. 15.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199, 2004. Scholar
  16. 16.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: IEEE Symposium on Security and Privacy, pp. 129–141, 1996Google Scholar

Copyright information

© Springer-Verlag 2006

Authors and Affiliations

  • John Aycock
    • 1
    Email author
  • Rennie deGraaf
    • 1
  • Michael JacobsonJr
    • 1
  1. 1.Department of Computer ScienceUniversity of CalgaryCalgaryCanada

Personalised recommendations