Abstract
In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing techniques for evaluating them. We present a technique based on program obfuscation for generating tests for malware detectors. Our technique is geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware. We also demonstrate that a hacker can leverage a malware detector's weakness in handling obfuscation transformations and can extract the signature used by a detector for a specific malware. We evaluate three widely-used commercial virus scanners using our techniques and discover that the resilience of these scanners to various obfuscations is very poor.
- D. Angluin. Learning regular sets from queries and counterexamples. Information and Computation, 75:87--106, 1987. Google ScholarDigital Library
- K. Brunnstein. "Heureka-2" AntiVirus Tests. Virus Test Center, University of Hamburg, Computer Science Department, Mar. 2002. Published online at http://agn-www.informatik.uni-hamburg.de/vtc/en0203.htm. Last accessed: 16 Jan. 2004.Google Scholar
- T. Chen and Y. Yu. On the relationship between partition and random testing. IEEE Transactions on Software Engineering, 20(12):977--980, Dec. 1994. Google ScholarDigital Library
- S. Chow, Y. Gu, H. Johnson, and V. Zakharov. An approach to the obfuscation of control-flow of sequential computer programs. In G. Davida and Y. Frankel, editors, Proceedings of the 4th International Information Security Conference (ISC'01), volume 2200 of Lecture Notes in Computer Science, pages 144--155, Malaga, Spain, Oct. 2001. Springer-Verlag. Google ScholarDigital Library
- C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, New Zealand, July 1997.Google Scholar
- C. Collberg, C. Thomborson, and D. Low. Breaking abstractions and unstructuring data structures. In Proceedings of the International Conference on Computer Languages 1998 (ICCL'98), pages 28--39, Chicago, IL, USA, May 1998. IEEE Computer Society. Google ScholarDigital Library
- C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'98), San Diego, CA, USA, Jan. 1998. ACM Press. Google ScholarDigital Library
- D. W. Cooper. Adaptive testing. In Proceedings of the 2nd International Conference on Software Engineering (ICSE'76), pages 102--105, San Francisco, CA, USA, Oct. 1976. IEEE Computer Society Press. Google ScholarDigital Library
- T. Detristan, T. Ulenspiegel, Y. Malcom, and M. S. von Underduk. Polymorphic shellcode engine using spectrum analysis. Phrack, 11(61), Aug. 2003. Published online at http://www.phrack.org. Last accessed: 16 Jan. 2004.Google Scholar
- J. W. Duran and S. C. Ntafos. An evaluation of random testing. IEEE Transactions on Software Engineering, 10(7):438--444, July 1984.Google ScholarDigital Library
- J. E. Forrester and B. P. Miller. An empirical study of the robustness of Windows NT applications using random testing. In Proceedings of the 4th USENIX Windows Systems Symposium, pages 59--68, Seattle, WA, USA, Aug. 2000. Google ScholarDigital Library
- P. G. Frankl, R. G. Hamlet, B. Littlewood, and L. Strigini. Choosing a testing method to deliver reliability. In Proceedings of the 19th International Conference on Software Engineering (ICSE'97), pages 68--78, Boston, MA, USA, May 1997. Google ScholarDigital Library
- S. Gordon and R. Ford. Real world anti-virus product reviews and evaluations -- the current state of affairs. In Proceedings of the 19th National Information Systems Security Conference (NISSC'96), pages 526--538, Baltimore, MD, USA, Oct. 1996. National Institute of Standards and Technology (NIST).Google Scholar
- D. Hamlet and R. Taylor. Partition testing does not inspire confidence. IEEE Transactions on Software Engineering, 16(12):1402--1441, Dec. 1990. Google ScholarDigital Library
- R. Hildebrandt and A. Zeller. Simplifying failure-inducing input. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2000 (ISSTA'00), pages 135--145, Portland, OR, USA, 2000. ACM Press. Google ScholarDigital Library
- R. Hildebrandt and A. Zeller. Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering, 28(2):183--200, Feb. 2002. Google ScholarDigital Library
- ICSA Labs. Anti-virus product certification. Published online at http://www.icsalabs.com/html/communities/antivirus/certification.shtml. Last accessed: 16 Jan. 2004.Google Scholar
- E. Kaspersky. Virus List Encyclopedia, chapter Ways of Infection: Viruses without an Entry Point. Kaspersky Labs, 2002.Google Scholar
- LURHQ Threat Intelligence Group. Sobig.a and the spam you received today. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig.html. Last accessed on 16 Jan. 2004.Google Scholar
- LURHQ Threat Intelligence Group. Sobig.e -Evolution of the worm. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig-e.html. Last accessed on 16 Jan. 2004.Google Scholar
- LURHQ Threat Intelligence Group. Sobig.f examined. Technical report, LURHQ, 2003. Published online at http://www.lurhq.com/sobig-f.html. Last accessed on 16 Jan. 2004.Google Scholar
- A. Marinescu. Russian doll. Virus Bulletin, pages 7--9, Aug. 2003.Google Scholar
- A. Marx. A guideline to anti-malware-software testing. In Proceedings of the 9th Annual European Institute for Computer Antivirus Research Conference (EICAR'00), 2000.Google Scholar
- A. Marx. Retrospective testing -- how good heuristics really work. In Proceedings of the 2002 Virus Bulletin Conference (VB2002), New Orleans, LA, USA, Sept. 2002. Virus Bulletin.Google Scholar
- McAfee AVERT. Virus information library. Published online at http://us.mcafee.com/virusInfo/default.asp. Last accessed: 16 Jan. 2004.Google Scholar
- G. McGraw and G. Morrisett. Attacking malicious code: report to the Infosec research council. IEEE Software, 17(5):33--41, Sept./Oct. 2000. Google ScholarDigital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12):12--44, Dec. 1990. Google ScholarDigital Library
- B. P. Miller, D. Koski, C. P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of UNIX utilities and services. Technical Report 1268, University of Wisconsin, Madison, Computer Sciences Department, Madison, WI, USA, Apr. 1995.Google Scholar
- G. J. Myers. The Art of Software Testing. John Wiley & Sons, first edition, Feb. 1979. Google ScholarDigital Library
- S. C. Ntafos. On random and partition testing. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 1998 (ISSTA'98), pages 42--48, Clearwater Beach, FL, USA, Mar. 1998. ACM Press. Google ScholarDigital Library
- S. C. Ntafos. On comparisons of random, partition, and proportional partition testing. IEEE Transactions on Software Engineering, 27(10):949--960, Oct. 2001. Google ScholarDigital Library
- Symantec Antivirus Research Center. Expanded threat list and virus encyclopedia. Published online at http://securityresponse.symantec.com/avcenter/venc/data/cih.html. Last accessed: 16 Jan. 2004.Google Scholar
- P. Ször and P. Ferrie. Hunting for metamorphic. In Proceedings of 2001 Virus Bulletin Conference (VB2001), pages 123--144, September 2001.Google Scholar
- TESO. Burneye ELF encryption program. Published online at http://teso.scene.at. Last accessed: 15 Jan. 2004.Google Scholar
- The WildList Organization International. Frequently asked questions. Published online at http://www.wildlist.org/faq.htm. Last accessed: 16 Jan. 2004.Google Scholar
- Virus Bulletin. VB 100% Award. Published online at http://www.virusbtn.com/vb100/about/100use.xml. Last accessed: 16 Jan. 2004.Google Scholar
- C. Wang. A security architecture for survivability mechanisms. PhD thesis, University of Virginia, Oct. 2000. Google ScholarDigital Library
- West Coast Labs. Anti-virus Checkmark level 2. Published online at http://www.check-mark.com/checkmark/pdf/Checkmark_AV1.pdf. Last accessed: 16 Jan. 2004.Google Scholar
- West Coast Labs. Anti-virus Checkmark level 2. Published online at http://www.check-mark.com/checkmark/pdf/Checkmark_AV2.pdf. Last accessed: 16 Jan. 2004.Google Scholar
- E. J. Weyuker and B. Jeng. Analyzing partition testing strategies. IEEE Transactions on Software Engineering, 17(7):703--711, July 1991. Google ScholarDigital Library
- G. Wroblewski. General method of program code obfuscation. PhD thesis, Institute of Engineering Cybernetics, Wroclaw University of Technology, Wroclaw, Poland, 2002.Google Scholar
- z0mbie. Automated reverse engineering: Mistfall engine. Published online at http://z0mbie.host.sk/autorev.txt. Last accessed: 16 Jan. 2004.Google Scholar
- z0mbie. z0mbie's homepage. Published online at http://z0mbie.host.sk. Last accessed: 16 Jan. 2004.Google Scholar
Index Terms
- Testing malware detectors
Recommendations
Testing malware detectors
ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysisIn today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Revealing Packed Malware
In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) ...
Obfuscated malware detection using API call dependency
SecurIT '12: Proceedings of the First International Conference on Security of Internet of ThingsMalwares pose a grave threat to security of a network and host systems. Many events such as Distributed Denial-of-Service attacks, spam emails etc., often have malwares as their root cause. So a great deal of research is being invested in detection and ...
Comments