Skip to main content
SpringerLink
Log in

Identification of file infecting viruses through detection of self-reference replication

  • Eicar 2008 extended version
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This paper presents an approach to detecting known and unknown file infecting viruses based on their attempt to replicate. The approach does not require any prior knowledge about previously discovered viruses. Detection is accomplished at runtime by monitoring currently executing processes attempting to replicate. Replication is the fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. An implementation prototype of our detection approach called SRRAT is created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds): Malware Detection. Springer, Heidelberg (2007) iSBN 0-387-32720-7

    Google Scholar 

  2. Szor, P.: The Art of Computer Virus Research and Defense. Symantec Press/Addison-Wesley, /Reading (2005). iSBN 9-780321-304544

  3. Filiol E.: Computer viruses: from theory to applications. IRIS International Series. Springer, Heidelberg (2005) iSBN 2-287-23939-1

    MATH  Google Scholar 

  4. Cohen F.: A Short Course on Computer Viruses. Wiley Professional Computing, London (1994) iSBN 0-471-00769-2

    MATH  Google Scholar 

  5. Morales, J., Clarke, P., Deng, Y., Kibria, G.: Characterization of virus replication. J. Comput. Virology Special Issue on Theory of Computer Viruses Workshop (2008)

  6. Adleman, L.: An abstract theory of computer viruses. In: CRYPTO ’88: Advances in Cryptology, pp. 354–374. Springer, Heidelberg (1988)

  7. von Neumann, J.: Theory of self-reproducing automata. University of Illinois, Tech. Rep. (1966)

  8. Silberschatz A., Galvin P., Gagne G.: Operating System Concepts. Wiley, New York (2001)

    Google Scholar 

  9. Golden D., Pechura M.: The structure of microcomputer file systems. Commun. ACM 29(3), 222–230 (1986)

    Article  Google Scholar 

  10. Linden T.: Operating system structures to support security and reliable software. ACM Comput. Surv. 8(4), 409–445 (1976)

    Article  Google Scholar 

  11. Vx heavens. http://vx.netlux.org/. Acessed November 2007

  12. Offensive computing malware repository. http://www.offensivecomputing.net. Acessed October 2007

  13. Api spy 32. [Online]. Available: http://www.matcode.com/apis32.htm. Acessed November 2007

  14. Microsoft windows sysinternals software. http://www.microsoft.com/technet/sysinternals/. Acessed November 2007

  15. Windows api reference. [Online]. Available: http://msdn2.microsoft.com/en-us/library/aa383749.aspx

  16. Nebbett G.: Windows NT/2000 Native API Reference. Macmillan Technical Publishing, New York (2000) iSBN 1578701996

    Google Scholar 

  17. Symantec antivirus research center. http://securityresponse.symantec.com/. Acessed November 2007

  18. Hoglund G., Butler J.: Rootkits: Subverting the Windows Kernel. Addison Wesley Professional, Reading (2005) iSBN 0321294319

    Google Scholar 

  19. Vieler, R.: Professional Rootkits. Wrox Press, (2007). iSBN 0470101547

  20. Windows api reference. http://msdn2.microsoft.com/en-us/library/aa383749.aspx

  21. Kaspersky anti-virus. http://www.kaspersky.com

  22. Vmware virtual workstation. http://www.vmware.com

  23. Morales, J., Clarke, P., Deng, Y.: Detecting self-reference virus replication. In: EICAR 2008: Proceedings of the 17th Annual European Institute for Computer Anti-Virus Research Conference, 2008

  24. Mutz D., Valeur F., Vigna G., Kruegel C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)

    Article  Google Scholar 

  25. Skormin V., Volynkin A., Summerville D., Moronski J.: Prevention of information attacks by run-time detection of self-replication in computer codes. J Comput. Secur. 15(2), 273–302 (2007)

    Google Scholar 

  26. C. M., J. S., K. C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE2007) (2007)

  27. Jacob, G., Debar, H., Filiol, E.: Malwares as interactive machines: a new framework for behavior modeling. In: 2nd International Workshop on the Theory of Computer Viruses (2008)

Download references

Author information

Authors and Affiliations

  1. School of Computing and Information Sciences, Florida International University, Miami, FL, 33199, USA

    Jose Andre Morales, Peter J. Clarke & Yi Deng

Authors
  1. Jose Andre Morales
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter J. Clarke
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yi Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jose Andre Morales.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Morales, J.A., Clarke, P.J. & Deng, Y. Identification of file infecting viruses through detection of self-reference replication. J Comput Virol 6, 161–180 (2010). https://doi.org/10.1007/s11416-008-0101-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0101-5

Keywords

Search

Navigation