Cobra: Fine-grained malware analysis using stealth localized-executions

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2006, Issue , 2006, Pages 15-29

  Vasudevan, Amit ^a   Yerraballi, Ramesh ^a  

^a University of Texas at Arlington   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CRYPTOGRAPHY; DATA FLOW ANALYSIS; INFORMATION ANALYSIS; USER INTERFACES;

MALWARE ANALYSIS; REAL WORLD MALWARE;

CODES (SYMBOLS);

EID: 33751025643     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2006.9     Document Type: Conference Paper

References (56)

1. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 143-159, May 2002.
2. F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX 2005 Annual Technical Conference, FREENIX Track, pages 41-46, 2005.
3. J. Bergeron, M. Debbabi, J. Desharnais, M. Erhioui, Y. Lavoie, and N. Tawbi. Static detection of malicious code in executable programs. Symposium on Requirements Engineering for Information Security (SREIS'01), March 2001.
4. J. Bergeron, M. Debbabi, J. Desharnais, B. Ktari, M. Salios, N. Tawbi, R. Charpentier, and M. Patry. Detection of malicious code in cots software: A short survey. First International Software Assurance Certification Conference (ISACC'99), March 1999.
5. J. Bergeron, M. Debbabi, M. Erhioui, and B. Ktari. Static analysis of binary code to isolate malicious behaviors. In Proceedings of the IEEE 4th International Workshop on Enterprise Security (WETICE'99), June 1999.
6. M. Bishop and M. Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2), 1996.
7. V. Bontchev. Methodology of computer anti-virus research. Ph.D. Thesis, Faculty of Informatics, University of Hamburg, 1998.
8. D. Bruening. Efficient, transparent, and comprehensive runtime code manipulation. Ph.D. Thesis. Massachusetts Institute of Technology., 2004.
9. H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 235-244, November 2002.
10. B. Chess. Improving computer security using extending static checking. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 160-173, May 2002.
11. D. Chess and S. White. An undetectable computer virus. Virus Bulletin Conference, 2000.
12. M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th USENIX Security Symposium (Security03), pages 169-186, Aug 2003.
13. M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA04), pages 34-44, July 2004.
14. M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantic aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, May 2005.
15. M. Ciubotariu. Netsky: a conflict starter? Virus Bulletin, pages 4-8, May 2004.
16. F. Cohen. Computer viruses: Theory and experiments. Computers and Security, 6:22-35, 1987.
17. F. Cohen. Operating system protection through program evolution. February 1998. Available online at URL http://all.net/books/IP/evolve.html. Last Accessed: 01 November 2005.
18. C. Collberg and C. Thomborson. Watermarking, tamperproofing, and obfuscation - tools for software protection. IEEE Transactions on Software Engineering, 28(8):735-746, August 2002.
19. C. Collberg, C. Thomborson, and D. Low. A taxonomy of obfuscating transformations. Technical Report 148, Department of Computer Science, University of Auckland, July 1997.
20. Compuware Corporation. Debugging blue screens. Technical Paper, September 1999.
21. M. Debbabi, M. Girard, L. Poulin, M. Salois, and N. Tawbi. Dynamic monitoring of malicious activity in software systems. Symposium on Requirements Engineering for Information Security (SREIS'01), March 2001.
22. J. Giffin, S. Jha, and B. Miller. Detecting manipulated remote call streams. In Proceedings of 11th USENIX Security Symposium (Security '02), 2002.
23. I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th USENIX Security Symposium, July 1996.
24. J. Gordon. Lessons from virus developers: The beagle worm history through april 24, 2004. Security Focus, May 2004. Available online at URL http://downloads.securityfocus.com/library/BeagleLessons.pdf. Last accessed 01 November 2005.
25. Intel Corp. Ia-32 intel architecture software developers manual, vols 1-3. Intel Developers Guide, 2003.
26. T. Jensen, D. Metayer, and T. Thorn. Verification of control flow based security properties. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.
27. C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium (Security'04), August 2004.
28. C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary analysis. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC04), 2004.
29. X. Lai and J. Massey. A proposal for a new block encryption standard. In Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 389-404, 1991.
30. K. Lawton. Bochs: The open source ia-32 emulation project. Available Online at URL http://bochs.sourceforge.net, Last Accessed: 04 November, 2005.
31. C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM Conference on Computer and Communications Security, October 2003.
32. R. Lo, K. Levitt, and R. Olsson. Mcf: A malicious code filter. Computers and Society, 14(6):541-566, 1995.
33. M. Loukides and A. Oram. Getting to know gdb. Linux Journal, 1996.
34. C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwoo. Pin: Building customized program analysis tools with dynamic instrumentation. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 190-200, 2005.
35. LURHQ. Sobig.e - evolution of the worm. Technical Report. LURHQ, 2003. Available online at URL http://www.lurhq.com/sobig-e.html. Last accessed 01 November 2005.
36. J. Maebe, M. Ronsse, and K. De Bosschere. Diota: Dynamic instrumentation, optimization and transformation of applications. Compendium of Workshops and Tutorials held in conjunction with PACT02', 2002.
37. McAfee. W32/hiv. Virus Information Library, October 2000. Available online at URL http://vil-origin.nai.com/vil/. Last accessed 28 Oct. 2005.
38. McAfee. W32/mydoom@mm. Virus Information Library, 2004. Available online at URL http://vil-origin.nai.com/vil/. Last accessed 28 Oct. 2005.
39. G. McGraw and G. Morrisett. Attacking malicious code: Report to the infosec research council. IEEE Software, 17(5):33-41, October 2000.
40. N. Nethercote and J. Seward. Valgrind: A program supervision framework. 3rd Workshop on Runtime Verification, 2003.
41. T. Ogiso, Y. Sakabe, M. Soshi, and A. Miyaji. Software obfuscation on a theoretical basis and its implementation. IEICE Transactions on Fundamentals, E86-A(1), 2003.
42. V. Paxon. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th USENIX Security Symposium, January 1998.
43. J. Robbins. Debugging windows based applications using windbg. Miscrosoft Systems Journal, 1999.
44. K. Scott, N. Kumar, S. Velusamy, B. Childers, J. Davidson, and M. Soffa. Reconfigurable and retargetable software dynamic translation. In 1st Conference on Code Generation and Optimization, pages 36-47, 2003.
45. P. Singh and A. Lakhotia. Analysis and detection of computer viruses and worms: An annotated bibliography. ACM SIGPLAN Notices, 37(2):29-35, February 2002.
46. L. Spitzner. Honeypots: Tracking hackers. Addison-Wesley, 2003. ISBN: 0-321-10895-7.
47. Symantec. Understanding and managing polymorphic viruses. Available online at URL http://www.symantec.com/avcenter/whitepapers.html. Last Accessed: 28 October 2005.
48. P. Szor. The art of computer virus research and defense. Addison Wesley in collaboration with Symantec Press, 2005.
49. TrendMicro. Bkdr.surila.g (w32/ratos). Virus Encyclopedia, August 2004. Available online at URL http://www.trendmicro.com/vinfo/virusencyclo/. Last accessed 28 Oct. 2005.
50. A. Vasudevan and R. Yerraballi. Stealth breakpoints. 21st Annual Computer Security and Applications Conference (ACSAC'05), pages 381-392, December 2005.
51. A. Vasudevan and R. Yerraballi. Spike: Engineering malware analysis tools using unobtrusive binary-instrumentation. 29th Australasian Conference in Computer Science (ACSC'06), pages 311-320, January 2006.
52. VMWare Inc. Accelerate software development, testing and deployment with the vmware virtualization platform. Technical Report, VMWare Technology Network, June 2005.
53. C. Wang, J. Davidson, J. Hill, and J. Knight. Protection of software-based survivability mechanisms. In Proceedings of International Conference of Dependable Systems and Networks, 2001.
54. D. Wheeler and R. Needham. Tea, a tiny encryption algorithm. In Proceedings of the 2nd International Workshop on Fast Software Encryption, pages 97-110, 1995.
55. G. Wroblewski. General method of program code obfuscation. In Proceedings of the International Conference on Software Engineering Research and Practice (SERP), June 2002.
56. T. Yetiser. Polymorphic viruses, implementation, detection and protection. VDS Advanced Research Group, P.O. Box 9393, Baltimore, MD 21228, USA. Available online at URL http://vx.netlux.org/lib/ayt01.html. Last accessed 28 Oct. 2005.