Abstract
This paper presents an approach to detecting known and unknown file infecting viruses based on their attempt to replicate. The approach does not require any prior knowledge about previously discovered viruses. Detection is accomplished at runtime by monitoring currently executing processes attempting to replicate. Replication is the fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. An implementation prototype of our detection approach called SRRAT is created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services.
Similar content being viewed by others
References
Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds): Malware Detection. Springer, Heidelberg (2007) iSBN 0-387-32720-7
Szor, P.: The Art of Computer Virus Research and Defense. Symantec Press/Addison-Wesley, /Reading (2005). iSBN 9-780321-304544
Filiol E.: Computer viruses: from theory to applications. IRIS International Series. Springer, Heidelberg (2005) iSBN 2-287-23939-1
Cohen F.: A Short Course on Computer Viruses. Wiley Professional Computing, London (1994) iSBN 0-471-00769-2
Morales, J., Clarke, P., Deng, Y., Kibria, G.: Characterization of virus replication. J. Comput. Virology Special Issue on Theory of Computer Viruses Workshop (2008)
Adleman, L.: An abstract theory of computer viruses. In: CRYPTO ’88: Advances in Cryptology, pp. 354–374. Springer, Heidelberg (1988)
von Neumann, J.: Theory of self-reproducing automata. University of Illinois, Tech. Rep. (1966)
Silberschatz A., Galvin P., Gagne G.: Operating System Concepts. Wiley, New York (2001)
Golden D., Pechura M.: The structure of microcomputer file systems. Commun. ACM 29(3), 222–230 (1986)
Linden T.: Operating system structures to support security and reliable software. ACM Comput. Surv. 8(4), 409–445 (1976)
Vx heavens. http://vx.netlux.org/. Acessed November 2007
Offensive computing malware repository. http://www.offensivecomputing.net. Acessed October 2007
Api spy 32. [Online]. Available: http://www.matcode.com/apis32.htm. Acessed November 2007
Microsoft windows sysinternals software. http://www.microsoft.com/technet/sysinternals/. Acessed November 2007
Windows api reference. [Online]. Available: http://msdn2.microsoft.com/en-us/library/aa383749.aspx
Nebbett G.: Windows NT/2000 Native API Reference. Macmillan Technical Publishing, New York (2000) iSBN 1578701996
Symantec antivirus research center. http://securityresponse.symantec.com/. Acessed November 2007
Hoglund G., Butler J.: Rootkits: Subverting the Windows Kernel. Addison Wesley Professional, Reading (2005) iSBN 0321294319
Vieler, R.: Professional Rootkits. Wrox Press, (2007). iSBN 0470101547
Windows api reference. http://msdn2.microsoft.com/en-us/library/aa383749.aspx
Kaspersky anti-virus. http://www.kaspersky.com
Vmware virtual workstation. http://www.vmware.com
Morales, J., Clarke, P., Deng, Y.: Detecting self-reference virus replication. In: EICAR 2008: Proceedings of the 17th Annual European Institute for Computer Anti-Virus Research Conference, 2008
Mutz D., Valeur F., Vigna G., Kruegel C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)
Skormin V., Volynkin A., Summerville D., Moronski J.: Prevention of information attacks by run-time detection of self-replication in computer codes. J Comput. Secur. 15(2), 273–302 (2007)
C. M., J. S., K. C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE2007) (2007)
Jacob, G., Debar, H., Filiol, E.: Malwares as interactive machines: a new framework for behavior modeling. In: 2nd International Workshop on the Theory of Computer Viruses (2008)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Morales, J.A., Clarke, P.J. & Deng, Y. Identification of file infecting viruses through detection of self-reference replication. J Comput Virol 6, 161–180 (2010). https://doi.org/10.1007/s11416-008-0101-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0101-5