Information Technology Reference
In-Depth Information
Detecting Malicious Codes by the Presence
of Their “Gene of Self-replication”
Victor A. Skormin, Douglas H. Summerville, and James S. Moronski
Electrical and Computer Engineering
Watson School, Binghamton University
Binghamton, NY 13902
{vskormin,dsummer,james.moronski}@binghamton.edu
Abstract.
A high percentage of information attacks are perpetrated by deploy-
ing computer viruses and worms, which result in very costly and destructive
“epidemics”. Spread of malicious codes is achieved by the built-in ability to
self-replicate through the Internet and computer media. Since most legitimate
codes do not self-replicate, and the number of ways to achieve self-replication
is limited to the order of fifty, the detection of malicious codes could be reduced
to the detection of the “gene of self-replication” in the code in question. This
paper present the analysis of the self-replication mechanism of one of the recent
computer viruses and discusses the ways to detect the ability of a computer
code to self-replicate before the execution.
1
Introduction
We are facing a disaster that has been recognized at the highest levels of our govern-
ment. It already manifests itself, disturbing our lives with increasing frequency. It is
two-fold. The first is our ever-increasing dependence on global computer networks of
ever-increasing size. The second is that the vulnerability of a global computer net-
work to various forms of information sabotage increases with its size and interconnec-
tivity. Fortunately, this problem is not unique to computer networks. Any biological
system, being gigantic in terms of complexity, interconnectivity and number of entry
points, is also vulnerable to sabotage by foreign microorganisms that could be visual-
ized as information attacks. Biological systems have developed very effective defense
mechanisms capable of detection, identification, and destruction of most foreign enti-
ties that could have an adverse effect on the system. These mechanisms are capable of
differentiating between “self” and “non-self” at the protein level. Similar defense
mechanisms for computer networks would provide the required level of system in-
formation assurance [1].
Most information attacks are performed via Internet transmission to a target com-
puter of files or messages that contain the code of a computer virus or worm. Upon
receipt, the target computer executes the malicious code, either directly or using an
interpreter, resulting in the reproduction of the virus or worm and the delivery of its
destructive payload. This self-replication is vital to the spread of most computer vi-
ruses and worms, and is quite uncommon for legitimate code. As with any function,
self-replication is programmed; the sequence of operations resulting in the self-
