Polymorphic Worm Detection Using Structural Information of Executables

Kruegel, Christopher; Kirda, Engin; Mutz, D.; Robertson, William; Vigna, Giovanni

doi:10.1007/11663812_11

Cited by 248 publications

(270 citation statements)

References 8 publications

Supporting

Mentioning

268

Contrasting

Order By: Relevance

“…Initial approaches focused on the identification of the sled component that often precedes the shellcode [2,29]. Recent works aim to detect the polymorphic shellcode itself using various approaches, such as the identification of structural similarities among different worm instances [15], control and data flow analysis [8,32], or neural networks [21].…”

Section: Related Workmentioning

confidence: 99%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, which demonstrate the effectiveness and practicality of our approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…These were identifiable at the time when its static code model was checked against its execution. Kruegel et al [33] suggested the usage of comparison of binary code and structural analysis. It was based on the control flow.…”

Section: Existing Workmentioning

confidence: 99%

“…Authors in [38] detected variants of a malware using semantic approach which is based on the system call made by the malwares while execution. Authors used Hidden Markov Models (HMMs) to determine the statistical properties of malware variants in [39]. Lee et al [40] discovered that using some obfuscation techniques, the detection of malwares using HMM can be overcome.…”

Section: Existing Workmentioning

confidence: 99%

Detecting and Classifying Morphed Malwares: A Survey

Singla¹,

Gandotra²,

Bansal³

et al. 2015

IJCA

View full text Add to dashboard Cite

In this era, most of the antivirus companies are facing immense difficulty in detecting morphed malwares as they conceal themselves from detection. Malwares use various techniques to camouflage themselves so as to increase their lifetime. These obscure methods cannot completely impede analysis, but it prolongs the process of analysis and detection. This paper presents a review on malware detection systems and the progress made in detecting advanced malwares which will serve as a reference to researchers interested in working on advance malware detection systems.

show abstract

“…The majority of the binary code in such polymorphic malware exists as an encrypted or packed payload, which is unencrypted or unpacked at runtime and executed. Signature-based protection systems typically detect polymorphic malware by identifying distinguishing features in the small unencrypted code stub that decrypts the payload (e.g., [9]). More recently, metamorphic malware has appeared, which randomly applies binary transformations to its code segment during propagation in order to obfuscate features in the unencrypted portion.…”

Section: Related Workmentioning

confidence: 99%

“…An example is the MetaPHOR system (c.f., [10]), which has become the basis for many other metamorphic malware propagation systems. Reversing these obfuscations to obtain reliable feature sets for signature-based detection is the subject of much current research [9,11,12], but case studies have shown that current antivirus detection schemes remain vulnerable to simple obfuscation attacks until the detector's signature database is updated to respond to the threat [13].…”

Section: Related Workmentioning

confidence: 99%

Exploiting an antivirus interface

Hamlen

Mohan

Masud

et al. 2009

Computer Standards & Interfaces

View full text Add to dashboard Cite

We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justifies the effectiveness of our approach.

show abstract

Polymorphic Worm Detection Using Structural Information of Executables

Cited by 248 publications

References 8 publications

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Detecting and Classifying Morphed Malwares: A Survey

Exploiting an antivirus interface

Contact Info

Product

Resources

About