Information Technology Reference
In-Depth Information
implementation of the function of self-replication is not unique; there is more than
one sequence of operations that can perform this task. Moreover, it is expected that
these sequences are dispersed throughout the entire body of the code and cannot be
detected as an explicit pattern. While self-replication can be achieved in a number of
different ways, this number is definitely finite. Consequently, developers of new
malicious codes are destined to utilize the same self-replication techniques again and
again.
Previously we developed the computer virus detection system based on these
principles [2], [3]. This system is able to detect the
gene of self-replication
(
GSR
) in
most script viruses written in Visual Basic, Java and other high-level script languages.
However, there was still a large family of viruses that could not be successfully
detected by this technique, as it was unable to deal with regular and, especially,
encrypted compiled executable code. While the same principle could still be
instrumental, its different implementation had to be developed for extracting self-
replication sequences from such viruses. The technology presented herein is
applicable to the most common and difficult, in terms of detection, computer viruses
and worms which are represented by an already compiled, often encrypted, executable
code; the detection is conducted at run-time during normal code execution under
regular conditions by monitoring the behavior of every process with regards to the
operating system's system calls, their input and output arguments and the result of
their execution. Unlike existing antivirus software, this methodology facilitates
preventative protection from both known and previously unknown attacks.
The authors do realize that a very sophisticated attacker can further modify the
self-replication mechanism and are prepared to face the next step in the ever-
escalating “arms race”.
2 Background
Modern computers are designed for a wide variety of purposes, frequently to be
accommodated by a single machine. Allowing for such unification and scalability
requires an increasingly complex computer software and hardware infrastructure.
Currently, this infrastructure is facilitated by a computer operating system, which
abstracts details of the hardware from application software. Applications (programs)
interface with the operating system through the Kernel Application Programming
Interface, or
system calls
. Therefore, system calls do play a major role in the
interaction between the software and the operating system characterizing the behavior
of both malicious and legitimate computer programs.
Unlike legitimate programs, malicious software performs operations that adversely
affect various hardware/software system components. There are a vast number of
operations that can be considered malicious and generally speaking, could be detected
within the sequence of system calls. However, the sequence of system calls produced
by an application can be huge and the malicious operation can be dispersed
throughout the sequence, making run-time detection a non-trivial task. Self-
replication is a function common to the most insidious malicious programs, including
all viruses and worms that cause computer epidemics maximizing the impact of an
