Article

A tool for analyzing and detecting malicious mobile code

Authors:

Akira Mori,

Tomonori Izumida,

Toshimi Sawada,

Tadashi InoueAuthors Info & Claims

ICSE '06: Proceedings of the 28th international conference on Software engineering

Pages 831 - 834

https://doi.org/10.1145/1134285.1134426

Published: 28 May 2006 Publication History

Get Access

Abstract

We present a tool for analysis and detection of malicious mobile code such as computer viruses and internet worms based on the combined use of code simulation, static code analysis, and OS execution emulation. Unlike traditional anti-virus methods, the tool directly inspects the code and identifies commonly found malicious behaviors such as mass mailing, self duplication, and registry overwrite without relying on ``pattern files'' that contain ``signatures'' of previously captured samples. The prohibited behaviors are defined separately as security policies at the level of API library function calls in a state-transition like language. The tool also features data flow analysis based on static single assignment forms, which are useful in tracing various values stored in registers and memory locations. The current tool targets at Win32 binary programs on Intel IA32 architectures and can detect most email virusesslash worms that had spread in the wild in recent years.

References

[1]

B. Alpern, M. N. Wegman, and F. K. Zadeck. Detecting equality of variables in programs. In Proceedings of the 15th ACM Symposium on Principles of Programming Languages, pages 1--11, January 1988.

Digital Library

Google Scholar

[2]

J. Bergeron, M. Debbabi, J. Desharnais, M. Erhioui, Y. Lavoie, and N. Tawbi. Static detection of malicious code in executable. In Proceedings of the International Symposium on Requirements Engineering for Information Security SREIS'01, pages 1--8, March 2001.

Google Scholar

[3]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 32--46, May 2005.

Digital Library

Google Scholar

[4]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems, 13(4), October 1991.

Digital Library

Google Scholar

[5]

A. Mori. Detecting unknown computer viruses -- a new approach --. Lecture Notes in Computer Science, 3233:226--241, 2004.

Crossref

Google Scholar

[6]

B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Global value numbers and redundant computations. In Proceedings of the 15th ACM Symposium on Principles of Programming Languages, pages 12--27, January 1988.

Digital Library

Google Scholar

[7]

Symantec Corporation. Polymorphic virus detection module. United States Patent, 5,696,822, December 1997.

Google Scholar

[8]

Symantec Corporation. Dynamic heuristic method for detecting computer viruses using decryption exploration and evaluation phases. United States Patent, 6,357,008, March 2002.

Google Scholar

Cited By

View all

Sharma AGupta BSingh ASaraswat V(2023)Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasuresJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-023-04603-y14:7(9355-9381)Online publication date: 6-May-2023
https://doi.org/10.1007/s12652-023-04603-y
Gupta S(2016)Efficient malicious domain detection using word segmentation and BM pattern matching2016 International Conference on Recent Advances and Innovations in Engineering (ICRAIE)10.1109/ICRAIE.2016.7939534(1-6)Online publication date: Dec-2016
https://doi.org/10.1109/ICRAIE.2016.7939534
Zhang BYin JWang SYan X(2014)Research on virus detection technique based on ensemble neural network and SVMNeurocomputing10.1016/j.neucom.2013.04.055137(24-33)Online publication date: Aug-2014
https://doi.org/10.1016/j.neucom.2013.04.055
Show More Cited By

Index Terms

Recommendations

Detection of injected, dynamically generated, and obfuscated malicious code
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

This paper presents DOME, a host-based technique for detecting several general classes of malicious code in software executables. DOME uses static analysis to identify the locations (virtual addresses) of system calls within the software executables, ...
An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene
ICIC '08: Proceedings of the 4th international conference on Intelligent Computing: Advanced Intelligent Computing Theories and Applications - with Aspects of Theoretical and Methodological Issues

Most information attacks on the Internet are perpetrated by deploying malicious codes, which results in destructive epidemics. The correct execution of viruses and worms throughout the Internet is accomplished by self-relocation. Self-relocation is a ...
Detection of metamorphic malicious mobile code on android-based smartphones

By repackaging a malicious code into reverse compiled legitimate mobile code, malware authors can bypass detection step on existing mobile vaccine software using inserting AES-encrypted root exploits to loading some payload from a malicious remote ...

Comments

Information & Contributors

Information

Published In

ICSE '06: Proceedings of the 28th international conference on Software engineering

May 2006

1110 pages

ISBN:1595933751

DOI:10.1145/1134285

General Chair:
Leon J. Osterweil
University of Massachusetts, USA
,
Program Chairs:
Dieter Rombach
TU Kaiserslautern, Germany
,
Mary Lou Soffa
University of Virginia, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ICSE06

Sponsor:

ICSE06: International Conference on Software Engineering

May 20 - 28, 2006

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
785
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)2

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Sharma AGupta BSingh ASaraswat V(2023)Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasuresJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-023-04603-y14:7(9355-9381)Online publication date: 6-May-2023
https://doi.org/10.1007/s12652-023-04603-y
Gupta S(2016)Efficient malicious domain detection using word segmentation and BM pattern matching2016 International Conference on Recent Advances and Innovations in Engineering (ICRAIE)10.1109/ICRAIE.2016.7939534(1-6)Online publication date: Dec-2016
https://doi.org/10.1109/ICRAIE.2016.7939534
Zhang BYin JWang SYan X(2014)Research on virus detection technique based on ensemble neural network and SVMNeurocomputing10.1016/j.neucom.2013.04.055137(24-33)Online publication date: Aug-2014
https://doi.org/10.1016/j.neucom.2013.04.055
Izumida TFutatsugi KMori A(2010)A generic binary analysis method for malwareProceedings of the 5th international conference on Advances in information and computer security10.5555/1927197.1927216(199-216)Online publication date: 22-Nov-2010
https://dl.acm.org/doi/10.5555/1927197.1927216
Izumida TFutatsugi KMori A(2010)A Generic Binary Analysis Method for MalwareAdvances in Information and Computer Security10.1007/978-3-642-16825-3_14(199-216)Online publication date: 2010
https://doi.org/10.1007/978-3-642-16825-3_14
Hashimoto MMori A(2008)Diff/TSProceedings of the 2008 15th Working Conference on Reverse Engineering10.1109/WCRE.2008.44(279-288)Online publication date: 15-Oct-2008
https://dl.acm.org/doi/10.1109/WCRE.2008.44

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Detection of injected, dynamically generated, and obfuscated malicious code

An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene

Detection of metamorphic malicious mobile code on android-based smartphones

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations