Information Technology Reference
In-Depth Information
information attack. Thus, the search for malicious programs can be narrowed to the
search for self-replication activity in the sequences of system calls.
The concept of detecting the
GSR
is generic in its nature; therefore it can be
applied to any computer system without necessarily binding it to a specific operating
system. The remainder of this paper deals specifically with the Microsoft Windows®
operating system, but the basic principles can be applied to any operating system on
any computer hardware platform.
When dealing with system calls in Windows® kernel, it is important to realize that
a system call by itself is a rather complicated entity. Apart from the call to a specific
interface there are also many important parameters passed, such as the origin of the
system call (process and thread identifiers), control flags, input arguments, data
structures, output parameters and the result of call execution. All of these parameters
must be taken into consideration for the detection of self-replication activity.
3 Definition of the Gene of Self-replication
The
GSR
is viewed as a specific sequence of commands passed to the computer
operating system by certain program code that causes this code to replicate itself
through the system or multiple systems. Replication can be accomplished in several
ways depending on a particular computer system as well as the software the system is
running. For example, computer viruses designed for the Microsoft DOS® operating
system utilized direct access to hardware for this purpose. With the widespread
introduction of microprocessors that allowed for different privilege level accesses,
and operating systems supporting and enforcing these access levels facilitated new
methods of self-replication. Computer viruses began employing different software
APIs, from hijacking a simple email client API to interfacing very complex OS.
Nevertheless, the most sophisticated and versatile viruses are still implemented in
assembly language (ASM) and assembled into executable files. Since computer
viruses are expected to self-replicate and this task cannot be accomplished without
interfacing the operating system, monitoring and analyzing system calls to certain OS
APIs provides the means for the detection of this common feature of malicious
software.
3.1 GSR Structure
Virtually every process running in the system produces system calls; however they
are not mixed and can easily be differentiated for every process and thread. In all
cases, system calls, generated at run time, represent a direct time line sequence of
events, which can be analyzed during the execution. For any given process, this
sequence can be large or relatively small depending on what system resources it is
trying to access. The
GSR
is contained within the sequence produced by a malicious
process and it could be dispersed throughout that sequence.
Since none of the system calls alone can be considered malicious, only the
particular sub-sequences of calls can form the
GSR
. As per [3], the
GSR
is described
using the concept of building blocks, where each block performs a part of the chosen
self-replication procedure. This concept is illustrated in Fig. 1. Most of the building
