Static Analysis of Executables to Detect Malicious Patterns
Malicious code detection is a crucial component of any defense mechanism.
In this paper, we present a unique viewpoint on malicious code detection.
We regard malicious code detection as an obfuscation-deobfuscation game
between malicious code writers and researchers working on malicious code
detection. Malicious code writers attempt to obfuscate the malicious code
to subvert the malicious code detectors, such as anti-virus software. We
tested the resilience of three commercial virus scanners against code
obfuscation attacks. The results were surprising: the three commercial
virus scanners could be subverted by very simple obfuscation
transformations! We present an architecture for detecting malicious
patterns in executables that is resilient to common obfuscation
transformations. Experimental results demonstrate the efficacy of our
prototype tool, SAFE (a static analyzer for executables).
Last modified: Mon Nov 17 09:35:56 CST 2003