 |
Mihai Christodorescu
Doctoral Candidate
1210 W Dayton St
Office 7372
Madison, WI 53706-1685
|
This paper is a result of research work on behavior-based malware detection and appeared in the Proceedings of the International Symposium on Software Testing and Analysis (ISSTA 2004), July 11-14, 2004, Boston, Massachusetts, USA.
The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes, notwithstanding any copyright notices affixed thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the above government agencies or the U.S. Government.
Mihai Christodorescu, while working as a research assistant on the WiSA project, and Somesh Jha were supported in part by the Office of Naval Research (ONR) under contracts N00014-01-1-0796 and N00014-01-1-0708.
Downloads:
- Version suitable for printing: PDF Postscript
- Citation: BibTeX
Abstract
In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing techniques for evaluating them. We present a technique based on program obfuscation for generating tests for malware detectors. Our technique is geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware. We also demonstrate that a hacker can leverage a malware detector's weakness in handling obfuscation transformations and can extract the signature used by a detector for a specific malware. We evaluate three widely-used commercial virus scanners using our techniques and discover that the resilience of these scanners to various obfuscations is very poor.