Identification of file infecting viruses through detection of self-reference replication

This paper presents an approach to detecting known and unknown file infecting viruses based on their attempt to replicate. The approach does not require any prior knowledge about previously discovered viruses. Detection is accomplished at runtime by monitoring currently executing processes attempting to replicate. Replication is the fundamental characteristic of a virus and is consistently present in all viruses making this approach applicable to viruses belonging to many classes and executing under several conditions. An implementation prototype of our detection approach called SRRAT is created and tested on the Microsoft Windows operating systems focusing on the tracking of user mode Win32 API system calls and Kernel mode system services.

[1]  Gary Nebbett Windows NT/2000 Native API Reference , 2000 .

[2]  Eric Filiol,et al.  Malware as interaction machines: a new framework for behavior modelling , 2008, Journal in Computer Virology.

[3]  J. Schwartz,et al.  Theory of Self-Reproducing Automata , 1967 .

[4]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[5]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[6]  Leonard M. Adleman,et al.  An Abstract Theory of Computer Viruses , 1988, CRYPTO.

[7]  L. M. Adleman,et al.  An abstract theory of computer viruses (invited talk) , 1990, CRYPTO 1990.

[8]  It Informatics,et al.  Kaspersky Anti-Virus , 2010 .

[9]  Ric Vieler Professional Rootkits , 2007 .

[10]  Peter J. Clarke,et al.  Characterization of virus replication , 2007, Journal in Computer Virology.

[11]  Victor A. Skormin,et al.  Prevention of Information Attacks by Run-Time Detection of Self-replication in Computer Codes , 2005, MMM-ACNS.

[12]  Dawn Song,et al.  Malware Detection , 2010, Advances in Information Security.

[13]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[14]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[15]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[16]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[17]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[18]  Donald Golden,et al.  The structure of microcomputer file systems , 1986, CACM.