Abstract
Computer viruses sometimes employ coding techniques intended to make analysis difficult for anti-virus researchers; techniques to obscure code to impair static code analysis are called anti-disassembly techniques. We present a new method of anti-disassembly based on cryptographic hash functions which is portable, hard to analyze, and can be used to target particular computers or users. Furthermore, the obscured code is not available in any analyzable form, even an encrypted form, until it successfully runs. The method’s viability has been empirically confirmed. We look at possible countermeasures for the basic anti-disassembly scheme, as well as variants scaled to use massive computational power.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aho A.V., Corasick M.J. (1975). Efficient string matching: an aid to bibliographic search. Commun ACM 18(6):333–340
Aycock J. (2003). A brief history of just-in-time. ACM Comput Surv 35(2):97–113
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: USENIX SRUTI Workshop, 2005
Secure, F.: F-Secure virus descriptions: Hybris, 2001. http://www.f-secure.com/v-descs/hybris.shtml
Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: The Bradley virus. In: Proceedings of the 14th Annual EICAR Conference, pp. 216–227 (2005)
Electronic Frontier Foundation. Cracking DES: secrets of encryption research, wiretap politics, and chip design. O’Reilly, 1998
Joshi, R., Nelson, G., Randall, K.: Denali: a goal-directed superoptimizer. In: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pp. 304–314, 2002
Krakowicz. Krakowicz’s kracking korner: The basics of kracking II, c. 1983. http://www.skepticfiles.org/cowtext/100/krckwczt.htm
Lo R.W., Levitt K.N., Olsson R.A. (1995). MCF: a malicious code filter. Comput Security 14:541–566
Massalin, H.: Superoptimizer: a look at the smallest program. In: Proceedings of the Second International Conference on Architectual Support for Programming Languages and Operating Systems, pp. 122–126, 1987
Riordan, J., Schneier, B.: Environmental key generation towards clueless agents. In: Mobile Agents and Security (LNCS 1419), pp. 15–24, 1998
Rivest, R.: The MD5 message-digest algorithm. RFC 1321, 1992
Schneier B. (1996). Applied cryptography, 2nd edn. Wiley, New York
Szor P. (2005). The art of computer virus research and defense. Addison-Wesley, Reading
Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199, 2004. http://eprint.iacr.org/
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: IEEE Symposium on Security and Privacy, pp. 129–141, 1996
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Aycock, J., deGraaf, R. & Jacobson, M. Anti-disassembly using Cryptographic Hash Functions. J Comput Virol 2, 79–85 (2006). https://doi.org/10.1007/s11416-006-0011-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0011-3