Abstract
In the context of the OpenDAVFI project (a fork of the French initiative DAVFI for giving birth to a new generation, open antivirus engine which has been funded by the French Government), different AV filters have been developped and chained to detect both known and unknown malware very accurately while requiring a very limited number of updates. While most AV software use different static and dynamic detection techniques which are mostly based on the general concept of (static or heuristic) signature, we have observed that many malware do not comply to the Microsoft specifications with respect to the MZ-PE format. In this technical correspondence, we present structural analysis tests which have been implemented in the DAVFI/OpenDAVFi project. These tests accurately detect malware and therefore greatly reduce the number of malware that have to be analyzed by subsequent modules in our detection chain.
References
David, B., Filiol , E., Gallienne, K.: Heuristic and proactive IAT/EAT-based detection module of unknown malware. In: Proceedings of the European Conference on Information Warfare and Security (ECCWS’16), Germany (2016)
Das, S.: Mz = zm? (2008). http://winprogger.com/?p=53. Accessed 16 Apr 2014
Dechaux, J., Filiol, E.: Proactive defense against malicious documents. Formalization, implementation and case studies. J. Comput. Virol. Hacking Tech. (2016). (To appear. Special Issue on Knowledge-based System and Security, Roy Park Editor)
Ferrand, O., Filiol, E.: Combinatorial detection of malware by IAT discrimination. J. Comput. Virol. Hacking Tech. 12(3) (2016). doi:10.1007/s11416-015-0257-8
Microsoft: Microsoft PE and COFF specification (2013). http://msdn.microsoft.com/en-us/library/gg463119.aspx. Accessed 16 Apr 2014
Shanmugam, G., Low, R.M., Stamp, M.: Simple substitution distance and metamorphic detection. J. Comput. Virol. Hacking Tech. 9(3), 159–170 (2013)
Author information
Authors and Affiliations
Corresponding author
Additional information
This research work has been partially funded by the National Fund for the Digital Society in the context of Investissements d’avenir - Grand Emprunt.
Rights and permissions
About this article
Cite this article
David, B., Filiol, E. & Gallienne, K. Structural analysis of binary executable headers for malware detection optimization. J Comput Virol Hack Tech 13, 87–93 (2017). https://doi.org/10.1007/s11416-016-0274-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-016-0274-2