VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
W. Wong, M. Stamp «Hunting for Metamorphic Engines» (18641)
F. Cohen «On the Implications of Computer Viruses and Methods of Defense» (18547)
M. Akira, S. Toshimi, I. Tomonori, I. Tadashi «Detecting Unknown Computer Viruses - A New Approach» (18155)
E. Spafford, S. Kumar «A Generic Virus Scanner in C++» (17870)
W. Arnold, G. Tesauro «Automatically generated Win32 heuristic virus detection» (17298)

Library: Anti-virus technology

Tony Abou-Assaleh, Nick Cercone, Vlado Keselj, Ray Sweidan
«Detection of New Malicious Code Using N-grams Signatures» [TeX] 31.53Kb 15141 hits
Proceedings of Second Annual Conference on Privacy, Security and Trust, October 13-15, 2004 (2004)
Signature-based malicious code detection is the standard technique in all commercial anti-virus software. This method can detect a virus only after the virus has appeared and caused damage. Signature-based detection performs poorly when attempting to identify new viruses. Motivated by the standard signature-based technique for detecting viruses, and a recent successful text classification method, n-grams analysis, we explore the idea of automatically detecting new malicious code. We employ n-grams analysis to automatically generate signatures from malicious and benign software collections. The n-grams-based signatures are capable of classifying unseen benign and malicious code. The datasets used are large compared to earlier applications of n-grams analysis.
Mori Akira, Sawada Toshimi, Izumida Tomonori, Inoue Tadashi
«Detecting Unknown Computer Viruses - A New Approach» 42.59Kb 18155 hits
Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005, pp.75-88 (2005)
We give an overview of a tool detect computer viruses without relying on "pattern files" that contain "signatures" of previously captured viruses. The system combines static code analysis with code simulation to identify malicious behaviors commonly found in computer viruses such as mass mailing, file infection, and registry overwrite. These prohibited behaviors are defined separately as security policies at the level of API library function calls in a state-transition like language. The current tool targets at Win32 binary viruses on Intel IA32 architectures and experiments show that they can detect most email viruses that had spread in the wild in recent years.
William Arnold, Gerald Tesauro
«Automatically generated Win32 heuristic virus detection» 31.08Kb 17298 hits
Virus Bulletin conference (2000)
Heuristic classifiers which distinguish between uninfected and infected members of some class of program objects have usually been constructed by hand. We automatically construct multiple neural network classifiers which can detect unknown Win32 viruses, following a technique described in previous work (Kephart et al, 1995) on boot virus heuristics.These individual classifiers have a false positive rate too high for real-world deployment. We find that, by combining the individual classifier outputs using a voting procedure, the risk of false positives is reduced to an arbitrarily low level, with only a slight increase in the false negative rate. Regular heuristics retraining on updated sets of exemplars (both infected and uninfected) is practical if the false positive rate is low enough.
Piotr Bania
«Fighting EPO Viruses» [SRC] 25.37Kb 12603 hits
SecurityFocus (2005)
This short article describes the so-called Entry-Point Obscuring (EPO) virus coding technique, primarily through a direct analysis of the Win32.CTX.Phage virus. The reader should know the basics of IA-32 assembly and the main elements of the Portable Executable (PE) file structure to fully understand this article. The author also advises the reader to review the Win32.CTX.Phage description written by Peter Szor and Wason Han , since this article does not cover all the features of the virus.
Danilo Bruschi, Lorenzo Martignoni, Mattia Monga
«Using Code Normalization for Fighting Self-Mutating Malware» [TeX] [SRC] 43.98Kb 12789 hits
Technical Report 08-06, Dipartimento di Informatica e Comunicazione - Universita degli Studi di Milano, 2006. (2006)
Self mutating malware has been introduced by computer virus writers who, in '90s, started to write polymorphic and metamorphic viruses in order to defeat anti-virus products. In this paper we present a novel approach for dealing with self mutating code which could represent the basis for a new detection strategy for this type of malware. A tool prototype has been implemented in order to validate the idea and the results are quite encouraging, and indicate that it could represent a new strategy for detecting this kind of malware
David Chess
«Virus Verification and Removal Tools and Techniques» 23.51Kb 10922 hits
High Integrity Computing Laboratory (1991)
This is an updated version of a paper that originally appeared in the November 1991 issue of Virus Bulletin. Since this sort of technology is continually evolving, it seemed reasonable to make an update available on the net; in particular, the virus-removal language has been considerably enhanced since the paper was originally written.
Fred Cohen
«A Cryptographic Checksum for Integrity Protection» 22.24Kb 14832 hits
Computers and Security Volume 6, Issue 6, pp.505-510 (1987)
This paper describes a cryptographic checksum technique for verifying the integrity of information in computer systems with no built-in protection. The technique is based on the use of repeated encryption using an RSA cryptosystem as a pseudo-random number generator (PRNG), the use of a user specified key as a seed for the PRNG, and reduction in a pseudo-random modulus as a means for mixing user specified information with generated numbers.
«A Note On High Integrity PC Bootstrapping» 15.62Kb 12959 hits
This research was funded by ASP, PO Box 81270, Pittsburgh, PA 15217, USA (1999)
In this paper, we describe two techniques for assuring a high integrity startup in a PC based computing environment. We begin with background information on PC startup procedures and current integrity threats against normal PC startup. We then describe a sound technique for assuring a high integrity startup and the basis for its soundness. Next we show a second method which is not sound, but which works well against attacks not specifically directed against this defense.
«On the Implications of Computer Viruses and Methods of Defense» 61.04Kb 18547 hits
Invited Paper, IFIP-TC11, 'Computers and Security', V7#2 (1988)
In this paper, we describe much of the previous and present work on computer viruses. We begin with a short history and bibliographic summary. We then describe some of the major issues that arise in the study of computer viruses and their protection ramifications. We describe most of the lines of research presently under way and some of their features and failings. We introduce a method by which certain classes of systems may be used in such a manner as to provide limited protection from computer viruses, and by which general purpose experiments in new protection mechanisms may be explored. Finally, we point out some of the social issues implied by viruses and the ramifications of our present social policies on the integrity of information residing in information systems.
Peter Ferrie, Frédéric Perriot
«Detecting Complex Viruses» 11.5Kb 11786 hits
SecurityFocus (2004)
There are many metrics by which to measure the efficiency and effectiveness of an antivirus product and the response organization that is backing it. Some of the commonly used metrics today include the antivirus company's response time to new threats and well as the availability of proactive detection. But are these metrics enough?The purpose of this paper is to examine the difficulties of detecting complex viruses, including polymorphic, metamorphic and entry-point obscuring viruses. Whether or not an anti-virus technology can detect these viruses can be a useful metric to consider when evaluating AV products.In this article, we will show how complex viruses can offer an entirely different threat to organizations. It is important to step into the world of complex viruses by defining what a metamorphic, polymorphic, and entry-point obscuring virus is, understand when it is considered a real threat, and then see some real-life examples of complex viruses that have been discovered. This will lead into a discussion on the limitations of current anti-virus engine technology, and then finally, we will try to gauge the importance of detecting these complex viruses accurately, and in a timely fashion.
«A brief history of virii vs. antivirii war» 48.55Kb 9174 hits
*-zine (Asterix) [2] (1999)
Tie your seatbelts, prepare for long adventure through virus history. I will list basic principles of war between viruses and antiviruses to show you how the story was going on. Most probably I will not be able to keep it in chronological order but I try to use logical order, to show main technologies and counteractions on both sides.The story begins long long time ago (sounds like a fairtale, isn't it?) when first viruses were written. Doesn't matter which one exactly it was, the more important is that some of them appears on user's computers. At that time this war begins and it is continuing and growing up to now.
Sarah Gordon
«What is Wild?» 52.32Kb 10020 hits
20th National Information Systems Security Conference (2000)
This paper considers the various definitions of "In the Wild", as well as how well the "In the Wild" criteria as defined by the individual testing organizations measure the ability of products to deliver adequate protection. Inherent problems with such approaches are discussed from both a development and user perspective. Some alternative testing, development and protection strategies are offered.
Dmitry Gryaznov
«Scanners of The Year 2000: Heuristics» 37.23Kb 12556 hits
Proceedings of the Fifth International Virus Bulletin Conference, pp.225-234 (1999)
Working at the Virus lab, S&S International PLC, the author is also carrying out a research project on heuristic analysis. The article explains what heuristics are. Positive and negative heuristics are introduced. Some practical heuristics are represented. Different approaches to a heuristic program analysis are discussed. False alarms problem pointed and discussed. Several well-known scanners employing heuristics are compared (without naming the scanners) in both the virus detection rate and false alarms rate.
Jeffrey Kephart, William Arnold
«Automatic Extraction of Computer Virus Signatures» [TeX] 53.1Kb 11241 hits
In Proceedings of the 4th Virus Bulletin International Conference, R. Ford, ed., Virus Bulletin Ltd., Abingdon, England, 1994, pp. 178-184 (1994)
One way that anti-virus programs identify the presence of a virus in an executable file, a boot record, or memory is by using short identifiers called signatures, which consist of sequences of bytes in the machine code of the virus. A good signature is one that is found in every object infected by the virus, but is unlikely to be found if the virus is not present; i.e. the likelihood of both false negatives and false positives must be minimized. Typically, a human expert chooses a signature for a new virus by means of a laborious, time-consuming procedure. Unfortunately, the accelerating influx of new computer viruses threatens to outpace the ability of human experts to analyze and find signatures for them.To help alleviate this burden, we have developed a statistical method for automatically extracting good signatures from the machine code of a virus. The basic idea is to characterize statistically a large corpus of programs (currently about half a gigabyte), and then to use this information to estimate false-positive probabilities for proposed virus signatures. In effect, the algorithm extrapolates from the corpus to the much larger universe of executable programs which do or might exist. In practice, signatures extracted by this method are very unlikely to generate false positives, even when the scanner that employs them permits some mismatches.This patent-pending technique has been used to either extract or evaluate the more than 2500 virus signatures used by IBM AntiVirus. It obviates the need for a small army of virus analysts, permitting IBM's signature database to be maintained by a single virus expert working halftime.
Baudouin Le Charlier, Morton Swimmer, Abdelaziz Mounji
«Dynamic detection and classification of computer viruses using general behaviour patterns» 43.76Kb 15342 hits
The number of files that need processing by the virus labs is growing nearly exponentially. Even though only a small proportion of these files contain new viruses, each file requires examination. The normal method for dealing with these files in the virus labs is still brute force manual analysis. A virus expert runs several tests on a given file and delivers a verdict on whether it is virulent or not. If it is a new virus, it will be necassary to detect it. Some tools have been developed speed up this process. These range from programs that identify previously classified files to programs that generate detection data. Some antiviruses have built in mechanisms based on heuristics that enable the antivirus to detect unknown viruses. Unfortunately all these tools have limitations. In this paper, we will demonstrate how an emulator is used to monitor system activity of a virtual PC, and how the expert system ASAX is used to analyse the stream of data the emulator produced. We use general rules to generically detect real viruses reliably, and specific rules to extract details of their behaviour. The resulting system is called VIDES and is a prototype for an automatic analysis system for computer viruses and possibly a prototype anti virus for the emerging 32 bit PC operating systems.
Alexei Lisitsa, Matt Webster
«Supercompilation for Equivalence Testing in Metamorphic Computer Viruses Detection» [TeX] 15.66Kb 11552 hits
A version of this paper has been presented at the Workshop on the Theory of Computer Viruses, 2008, Nancy, 15.05.2008 (2008)
In this paper we present a novel approach to detection of metamorphic computer viruses by using proving program equivalence based on program transformation technique known as supercompilation [7]. Proving program equivalence is an undecidable problem in the general case; however, in specific cases we may find decidable or semi-decidable procedures that can prove that a sub-class of programs are equivalent. This is of relevance for detecting metamorphic computer viruses, which use a variety of semantics-preserving, syntax-mutating methods for code obfuscation. The main purpose of this obfuscation is to avoid detection by signature scanning. An important factor here is that semantics is preserved; therefore, if we can prove using some procedure that two different programs are equivalent, then in principle we can detect metamorphic computer viruses using this procedure.
Patrick Min
«Virus Detection Alternatives» 37.67Kb 11537 hits
An evaluation of different techniques for virus detection. The discussion is sufficiently general to be applicable to a substantial number of computing platforms. All mentioned practical issues concern the MS DOS operating system. Improvement of the operating system is presented as the most fundamental and therefore effective way to tackle the virus problem.
Dmitry Mostovoy
«Modern Methods of Detecting and Eradicating Known and Unknown Viruses» 12.04Kb 11148 hits
5th international conference Virus Bulletin - 95 (1995)
The first outcome of our efforts in this direction, ADinf (Advanced Diskinfoscope), is a forecasting center which alerts the user in advance with great reliability about the intrusion of viruses, even HITHERTO unknown infectors. As distinct from all other data integrity checkers, ADinf inspects a disk by scanning the sectors one by one via direct addressing of BIOS without the assistance of the operating system and takes under check all vital parts of hard disk.
Eugene Spafford, Sandeep Kumar
«A Generic Virus Scanner in C++» 44.93Kb 17870 hits
Technical Report CSD-TR-92-062 (1992)
Computer viruses pose an increasing risk to computer data integrity. They cause loss of valuable data and cost an enormous amount in wasted effort in restoration/duplication of lost and damaged data. Each month many new viruses are reported. As the problem of viruses increases, we need tools to detect them and to eradicate them from our systems. This paper describes a virus detection tool: a generic virus scanner in C ++ with no inherent limitations on the file systems, file types, or host architectures that can be scanned. The tool is completely general and is structured in such a way that it can easily be augmented to recognize viruses across different system platforms with varied file types. The implementation defines an abstract C++ class, VirInfo, which encapsulates virus features common to all scannable viruses. Subclasses of this abstract class may be used to define viruses that infect different machines and operating systems. The generality of the mechanism allows it to be used for other forms of scanning as well.
Gerald Tesauro, Jeffrey Kephart, Gregory Sorkin
«Neural Networks for Computer Virus Recognition» 7.41Kb 12424 hits
IEEE Expert, vol. 11, no. 4, Aug. 1996, pp. 5-6. (1996)
We have developed a neural network for generic detection of a particular class of computer viruses_the so-called boot sector viruses that infect the boot sector of a floppy disk or a hard drive. This is an important and relatively tractable subproblem of generic virus detection. Only about 5% of all known viruses are boot sector viruses, yet they account for nearly 90% of all virus incidents.1 We have successfully deployed our neural network as a commercial product, distributing it to millions of PC users worldwide as part of the IBM AntiVirus software package.
Jamie Twycross, Matthew Williamson
«Implementing and testing a virus throttle» 40.54Kb 12265 hits
Proceedings of the 12th USENIX Security Symposium, August 4-8, 2003, Washington, DC, USA (2003)
In this paper we build on previous theoretical work and describe the implementation and testing of a virus throttle - a program, based on a new approach, that is able to substantially reduce the spread of and hence damage caused by mobile code such as worms and viruses. Our approach is different from current, signature-based anti-virus paradigms in that it identifies potential viruses based on their network behaviour and, instead of preventing such programs from entering a system, seeks to prevent them from leaving. The results presented here show that such an approach is effective in stopping the spread of a real worm, W32/Nimda-D, in under a second, as well as several different configurations of a test worm.
Joe Wells
«A Radical New Approach to Virus Scanning» 111.14Kb 11550 hits
CyberSoft, Inc. (1999)
Don't expect this paper to be about a virus problem. To the contrary, it's actually about your having an antivirus problem.
Wing Wong, Mark Stamp
«Hunting for Metamorphic Engines» [TeX] 67.55Kb 18641 hits
Journal In Computer Virology vol. 2, no 3 (2006)
In this paper, we analyze several metamorphic virus generators. We define a similarity index and use it to precisely quantify the degree of metamorphism that each generator produces. Then we present a detector based on hidden Markov models and we consider a simpler detection method based on our similarity index. Both of these techniques detect all of the metamorphic viruses in our test set with extremely high accuracy. In addition, we show that popular commercial virus scanners do not detect the highly metamorphic virus variants in our test set.
InSeon Yoo
«Visualizing Windows Executable Viruses Using Self-Organizing Maps» 27.89Kb 14469 hits
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp.82-89 (2004)
This paper concentrates on visualizing computer viruses without using virus specific signature information as a prior stage of the very important problem of detecting computer viruses. In this paper, we address the fact that each viruses have its own character to be distinguished although it is inserted in the executable file. They cannot hide their own feature through the SOM visualization; this feature is like a DNA to determine an individual's unique genetic code. We present how virus codes affect the whole program projection. Without each virus signature, we present how the virus pattern in Windows executable files tells us their family. We show that the variant of each virus also can be covered with each virus mask, which is produced by SOM. We also present the file structure based SOMs of Windows executable files.
22 authors, 24 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka