Detection of metamorphic computer viruses using algebraic specification
- 338 Downloads
- 10 Citations
Abstract
This paper describes a new approach towards the detection of metamorphic computer viruses through the algebraic specification of an assembly language. Metamorphic computer viruses are computer viruses that apply a variety of syntax-mutating, behaviour-preserving metamorphoses to their code in order to defend themselves against static analysis based detection methods. An overview of these metamorphoses is given. Then, in order to identify behaviourally equivalent instruction sequences, the syntax and semantics of a subset of the IA-32 assembly language instruction set is specified formally using OBJ – an algebraic specification formalism and theorem prover based on order-sorted equational logic. The concepts of equivalence and semi-equivalence are given formally, and a means of proving equivalence from semi-equivalence is given. The OBJ specification is shown to be useful for proving the equivalence or semi-equivalence of IA-32 instruction sequences by applying reductions – sequences of equational rewrites in OBJ. These proof methods are then applied to fragments of two different metamorphic computer viruses, Win95/Bistro and Win9x.Zmorph.A, in order to prove their (semi-)equivalence. Finally, the application of these methods to the detection of metamorphic computer viruses in general is discussed.
Keywords
Instruction Sequence Code Fragment Computer Virus Algebraic Specification Proof ScriptPreview
Unable to display preview. Download preview PDF.
References
- 1.Filiol, E.: Computer Viruses: from Theory to Applications, chapter 5, pp. 151–163. Springer, (2005). ISBN 2287239391Google Scholar
- 2.Filiol E., Helenius M., Zanero S. (2006) Open problems in computer virology. J. Comput. Virol. 1:55–66CrossRefGoogle Scholar
- 3.Goguen, J. A., Malcolm, G.: Algebraic Semantics of Imperative Programs. Massachusetts Institute of Technology, (1996). ISBN 026207172XGoogle Scholar
- 4.Goguen, J. A., Walker, T., Meseguer, J., Futatsugi, K., Jouannaud, J-P.: Introducing OBJ. In: Joseph A. Goguen, Grant Malcolm, (eds.), Software Engineering with OBJ: Algebraic Specification in Action. Kluwer Academic Publishers, (2000) ISBN 0792377575Google Scholar
- 5.Intel Corporation: IA-32 Intel®cture Software Developer’s Manual, March 2006. http://www.intel.com/design/ pentium4/manuals/index_new.htm Accessed 21st June 2006.Google Scholar
- 6.Kaspersky Lab: Win95.Zmorph. http://www.avp.ch/avpve/ newexe/win95/zmorhp.stm. Accessed 22nd June 2006Google Scholar
- 7.Lakhotia, A., Mohammed, M.: Imposing order on program statements to assist anti-virus scanners. In: Proceedings of Eleventh Working Conference on Reverse Engineering. IEEE Computer Society Press, (2004)Google Scholar
- 8.José Meseguer and Grigore Roşu: The rewriting logic semantics project. In: Proceedings of Structural Operational Semantics 2005, Electronic Notes in Theoretical Computer Science. Elsevier, (2005). To appear. http://fm.cs.uiuc.edu/~grosu/download/sos05.pdfGoogle Scholar
- 9.Moinuddin Mohammed. Zeroing in on metamorphic computer viruses. Master’s thesis, University of Louisiana at Lafayette, (2003)Google Scholar
- 10.Peter Ször and Peter Ferrie. Hunting for metamorphic. In: Virus Bulletin Conference Proceedings, (2001)Google Scholar
- 11.Matt Webster: Algebraic specification of computer viruses and their environments. In: Peter Mosses, John Power, Monika Seisenberger, (eds.), Selected Papers from the First Conference on Algebra and Coalgebra in Computer Science Young Researchers Workshop (CALCO-jnr 2005). University of Wales Swansea Computer Science Report Series CSR 18-2005, pp. 99–113, 2005. http://www.csc.liv.ac.uk/~matt/.Google Scholar
- 12.In Seon Yoo, Ulrich Ultes-Nitsche: Non-signature based virus detection: Towards establishing a unknown virus detection technique using SOM. J. Comput. Virol. 2(3), (2006)Google Scholar