Information Technology Reference
In-Depth Information
establish some generalized self-replication patterns. An attempt will then be made to
perform segmentation and representation of these patterns by a sequence of higher-
order tasks (such as “exploring the environment”, “target detection”, “code duplica-
tion”, etc.).
Second, analyses of known malicious codes will be performed aimed to determine
probabilities for particular self-replication patterns and the components of these pat-
terns in such codes. Assume that W
jk
is a random event defined as the “presence of
segment #j of the self-replication pattern #k in a computer code”, and E
L
is the ran-
dom event defined as the “computer code in question is a malicious code of type #L”
(boot-viruses, file viruses, macro viruses and viruses on script languages, computer
worms, etc.). There will be an interest in the estimation of conditional probabilities
P{W
jk
/ E
L
} for all j, k, L [3]. These probabilities will be invaluable in establishing
virus detection rules.
Third, since the self-replication pattern could be encrypted in a malicious code,
rather than included explicitly, it is important to define an efficient decryption ap-
proach. In this case, several questions need to be researched: Is it possible to perform
the decryption before the code is executed? Could this task be performed during the
code execution but before the self-replication task has been completed? Could a sand-
box type environment be created to facilitate the detection of the self-replication pat-
tern? Some computer viruses are deployed in a partially encoded form and self-
decode during execution; could the presence of self-decoding be utilized as evidence
of maliciousness? Immunology provides examples of very successful detection/ rec-
ognition approaches [4]; could some of these approaches be explored?
The Bible Code [5] is fascinating in how it presents examples of historical events
encrypted in the text of the Old Testament. The strongest argument against the feasi-
bility of the described general prediction approach is obvious: in order to detect the
event encrypted in biblical text one has to know what to look for. In this case, it is
known exactly what to look for: the “gene of self-replication” in one of its few exist-
ing mutations.
5
High Level Analysis of Code
In the case of non-encrypted viral code, like Melissa, the detection of the self-
replication mechanism is relatively straightforward. In fact, many recent viruses are
scripts that are distributed as e-mail attachments. The script itself serves as the source
code for the virus. One simply needs to follow the execution path of the code to de-
termine the elements that provide for infection, replication and payload delivery. A
graph of the code could be developed which would contain the “gene of self-
replication”.
Within Melissa, some of the elements of the gene of self-replication are relatively
obvious. It is rare for an application to open the user's address book and mail itself to
each entry. Distributing the elements of the self e-mailing operation throughout the
code of the virus can easily cloak this simple detection. Writers of viruses often dis-
perse the components required for self-replication throughout the code. This is, in a
way, a primitive form of encryption, preventing simple analysis from determining the
precise mechanism for one or all of the various cycles of the viral code.