Skip to main content

Detection of Polymorphic Viruses in Windows Executables

  • Conference paper

Part of the Communications in Computer and Information Science book series (CCIS,volume 95)

Abstract

Polymorphic viruses are viruses which unpack themselves at runtime and infect files with a new mutated virus body. Most of the current solutions present blacklist a set of packer. Research has shown many polymorphic viruses to go undetected. This work aims at the problem of detection of such viruses using emulation technique. The main target is to improve the detection rate and reduce false positives. Bochs is a powerful x86-64 emulator and the system has been implemented on Bochs and could successfully detect self-modifying code in test viruses.

Keywords

  • Malicious Behavior
  • Host Machine
  • Virus Code
  • Dynamic Instrumentation
  • Mutation Engine

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-14825-5_11
  • Chapter length: 11 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   99.00
Price excludes VAT (USA)
  • ISBN: 978-3-642-14825-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy (May 2005)

    Google Scholar 

  2. Szor, P.: The Art of Computer Virus Research and Defense. Addison Wesley Professional, Reading (2005)

    Google Scholar 

  3. Quist, D., Valsmith.: Covert Debugging: Circumventing Software Armoring Techniques. Black Hat Briefings USA (August 2007)

    Google Scholar 

  4. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A hidden code extractor for packed executables. In: Proceedings of the 5th ACM Workshop on Recurring Malcode, WORM (October 2007)

    Google Scholar 

  5. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: 23rd Annual Computer Security Applications Conference, ACSAC (2007)

    Google Scholar 

  6. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In: 22nd Annual Computer Security Applications Conference, ACSAC (2006)

    Google Scholar 

  7. Konstantinou, E.: Metamorphic Virus: Analysis and Detection Technical Report. RHUL-MA-2008-02, Royal Holloway, University of London (2008)

    Google Scholar 

  8. Understanding and Managing Polymorphic Viruses. The Symantec Enterprise Papers (1996)

    Google Scholar 

  9. Szor, P., Ferrie, P.: Hunting for Metamorphic. In: Virus Bulletin Conference (2003)

    Google Scholar 

  10. Tropeano, G.: Self-Modifying Code. Code Breakers Journal (2006)

    Google Scholar 

  11. Ludwig, M.: The Giant Black Book of Viruses. American Eagle Publications, Inc. (1995)

    Google Scholar 

  12. Virus-Antivirus Co-evolution. Symantec Research Labs (2001)

    Google Scholar 

  13. IA-32 Intel Architecture Software Developer’s Manual. Intel Corporation (March 2006)

    Google Scholar 

  14. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the Usenix Security (2003)

    Google Scholar 

  15. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th Annual Conference of the European Institute for Computer Antivirus Research, EICAR (2006)

    Google Scholar 

  16. VX virus source codes, http://vx.netlux.org/src.php

  17. Anubis, http://analysis.seclab.tuwien.ac.at

  18. Norman SandBox Information Center, http://www.norman.com

  19. Online Virus Scanner Suite, http://virustotal.com

  20. WinImage, http://www.winimage.com/winimage.htm

  21. Bochs emulator, http://bochs.sourceforge.net

  22. Simics, http://www.simics.net

  23. QEMU, http://www.qemu.org

  24. JPC, http://www-jpc.physics.ox.ac.uk/home_home.html

  25. Yoda’s Crypter, http://yodap.sourceforge.net/

  26. Armadillo, http://www.siliconrealms.com/

  27. Obsidium, http://www.obsidium.de

  28. PECompact2, http://www.bitsum.com/

  29. UPX, http://upx.sourceforge.net/

  30. Molebox Pro, http://www.molebox.com/

  31. Themida, http://www.oreans.com/

  32. TEMU: The BitBlaze Dynamic Analysis Component, http://bitblaze.cs.berkeley.edu/temu.html

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kasina, A., Suthar, A., Kumar, R. (2010). Detection of Polymorphic Viruses in Windows Executables. In: , et al. Contemporary Computing. IC3 2010. Communications in Computer and Information Science, vol 95. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14825-5_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14825-5_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14824-8

  • Online ISBN: 978-3-642-14825-5

  • eBook Packages: Computer ScienceComputer Science (R0)