Abstract
As a general rule, copycats produce most of malware variants from an original malware strain. For this purpose, they widely perform black-box analyses of commercial scanners aiming at extracting malware detection patterns. In this paper, we first study the malware detection pattern extraction problem from a complexity point of view and provide the results of a wide-scale study of commercial scanners’ black-box analysis. These results clearly show that most of the tested commercial products fail to thwart black-box analysis. Such weaknesses therefore urge copycats to produce even more malware variants. Then, we present a new model of malware detection pattern based on Boolean functions and identify some properties that a reliable detection pattern should have. Lastly, we describe a combinatorial, probabilistic malware pattern scanning scheme that, on the one hand, highly limits black-box analysis and on the other hand can only be bypassed in the case where there is collusion between a number of copycats. This scheme can incidentally provide some useful technical information to malware crime investigators, thus allowing a faster identification of copycats.
Similar content being viewed by others
References
Angluin D. (1988) Queries and concept learning. Mach. Learn. 2–4:319–342
Christodorescu, M., Jha, S. Testing malware detectors”. In: Proceedings of the ACM International Symposium on Software Testing and Analysis (ISSTA’04) (2004)
Beth, T., Jungnickel, D., Lenz, H. Design Theory, vol. 1. Cambridge: Cambridge University Press, ISBN 0-5214-4432-2 and ISBN 0-5217-7231-1 (1999)
Colbourn, C.J., Dinitz, J.H. Handbook of Combinatorial Designs. Boca Raton: CRC Press, ISBN 0-8493-8948-8 (1996)
Denis-Papin, M., Kaufmann, A. et F. R. Cours de calcul booléien appliqué, Coll. Bibliothèque de l’ingénieur électricien-mécanicien, Albin Michel éditeur (1963)
Filiol, E. A new statistical testing for symmetric ciphers and hash functions. In: Proceedings of the 4th International Conference on Information and Communication Security 2002, Lecture Notes in Computer Science, vol. 2513, pp. 342–353. Berlin Heidelberg New York: Springer (2002)
Filiol, E. Computer viruses: from theory to applications, IRIS international series. Berlin Heidelberg New York: Springer, ISBN 2-287-23939-1 (2005)
Filiol, E. Advanced Computer Virology, IRIS International series. Berlin Heidelberg New York: Springer (to appear, 2006)
Fortinet, http://www.fortinet.com/FortiGuardCenter/global_threat_stats.html
Goldberg L.A., Goldberg P.W., Phillips C.A., Sorkin G.B. (1998) Constructing computer virus phylogenies. J. Algorithms 26, 188–208
Kephart, J.O., Arnold, W. Automatic extraction of computer virus signatures. In: Proceedings of the 4th Virus Bulletin International Conference, pp. 179–194, Virus Bulletin Ltd (1994)
Karim Md.E., Walenstein A., Lakhotia A. (2005) Malware phylogeny generation using permutations of code. J. Comput. Virol. 1(1–2): 13–23
Kearns, M., Vazirani, U. An Introduction to Computational Learning Theory. MIT, Cambridge, ISBN 0-262-11193-4 (1994)
Kulesza, K., Kotulski, Z. On secret sharing for graphs. arxiv.org/cs.CR/0310052 (2003)
McCluskey E.J. (1956) Minimization of Boolean functions. Bell Syst. Tech. J. 35(5): 1417–1444
Menezes A.J., van Oorschot P.C., Vanstone S.A. (1997) Handbook of Applied Cryptography. CRC, Boca Raton, ISBN 0-8493-8523-7
Michaels J.G. (2000). Algebraic Structures. In: Rosen K.H. (eds). Handbook of Discrete and Combinatorial Mathematics. CRC, Boca Raton, pp. 344–354. ISBN 0-8493-0149-1
Papadimitriou C.H. (1995) Computational Complexity. Addison Wesley, Reading, ISBN 0-201-53082-1
Quine V.W. (1952) The problem of symplifying truth functions. Am. Math. Monthly 59(8): 521–531
Quine V.W. (1955) A way to simplify truth functions. Am. Math. Monthly 62, 627–631
Shannon, C.E. A mathematical theory of communication. Bell Syst. Tech. J. 27, pp. 379–423, 623–656 (1948)
Stimms, S., Potter, C., Beard, A. 2004 information security breaches survey, UK Department of Trade and Industry, 2004. Available at http://www.security-survey.gov.uk. A video presenting the report to the press as well as a summary for decision-makers are also available on this website (2004)
Szor, P. The Art of Computer Virus Research and Defense. Symantec Press and Addison Wesley, Reading, ISBN 9-780321-304544 (2005)
US Government Protection Profile: Anti-virus Applications for Workstations in Basic Robustness Environments, Version 1.0, January 2005. Available at www.iatf.net/protection_profiles/index.cfm
VX Heavens Database: vx.netlux.org
Wegener I. (1987) The complexity of Boolean functions. Wiley, New York
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Filiol, E. Malware Pattern Scanning Schemes Secure Against Black-box Analysis. J Comput Virol 2, 35–50 (2006). https://doi.org/10.1007/s11416-006-0009-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-006-0009-x