Opcodes as predictor for malware

International Journal of Electronic Security and Digital Forensics

Volumn 1, Issue 2, 2007, Pages 156-168

  Bilar, Daniel ^a  

^a WELLESLEY COLLEGE   (United States)

Author keywords

executable; frequency; malware; predictor; statistical analysis; structural fingerprint; x86 opcodes

Indexed keywords

EID: 60649088031     PISSN: 1751911X     EISSN: 17519128     Source Type: Journal    
DOI: 10.1504/IJESDF.2007.016865     Document Type: Article

References (42)

1. AccessData Inc. (2005) Forensic Toolkit, Lindon, UT.
2. Bayer, U., Kruegel, C. and Kirda, E. (2006) ‘TTAnalyze: a tool for analyzing malware’, Proceedings of the 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), Hamburg, Germany, April.
3. Bilar, D. (2007) ‘Callgraph properties of executables’, AI Communications: Special Issue on Network Analysis in Natural Sciences and Engineering, Amsterdam, NL.
4. Chinchani, R. and Berg, E.V.D. (2005) ‘A fast static analysis approach to detect exploit code inside network flows’, Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, September.
5. Christodorescu, M. and Jha, S. (2003) ‘Static analysis of executables to detect malicious patterns’, Proceedings of the 12th USENIX Security Symposium, Washington, DC, August, pp.169–186.
6. Clementi, A. (2007) Anti-Virus Comparative No. 13, Innsbruck, Germany, February, p.7.
7. Commtouch Inc. (2007) Malware Report: Server-side Polymorphic Viruses Surge Past AV Defenses, Netanya, Israel.
8. Computer Economics Inc. (2007) 2007 Malware Report: The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code, Irvine, CA.
9. Connor-Linton, J. (2003) Chi Square Tutorial, Georgetown University, Washington, DC, March.
10. DataRescue sa/nv (2005) IDA – The Interactive Disassembler, Liege, Belgium, v5.0.0.879.
11. Elcomsoft Co. Ltd. (2004) Advance Disk Catalog, Moscow, Russia, v.1.51, October.
12. Emm, D. (2007) ‘AV is alive and well’, Virus Bulletin, Abingdon, UK, September, p.2.
13. Everitt, B.S. (1992) The Analysis of Contingency Tables, 2nd edition, New York: Chapman & Hall, February.
14. Filiol, E. (2007) ‘Formalization and implementation aspects of K-ary (malicious) codes’, Journal in Computer Virology, Vol. 3, No. 2, Paris, France.
15. Filiol, E., Helenius, M. and Zanero, S. (2006) ‘Open problems in computer virology’, Journal in Computer Virology, Vol. 1, Nos. 3/4, Paris, France, pp.55–66.
16. Flake, H. (2005) ‘Compare, port, navigate’, Black Hat Europe 2005 Briefings and Training, Amsterdam, Holland, March.
17. Goldin, D. and Wegner, P. (2005) ‘The church-turing thesis: breaking the myth’, Lecture Notes in Computer Science, Vol. 3526, Berlin, Germany, pp.152–168.
18. Guidance Software (2006) Encase Forensics LE, Vol. 5, Pasadena, CA, February.
19. Haberman, S. (1973) ‘The analysis of residuals in cross-classified tables’, Biometrics, Vol. 29, No. 1, pp.205–220.
20. Imbernon, R. (2006) Index your Files – Revolution!, Malaga, Spain, v. 2.6, June.
21. Jibz, Qwerton, snaker, xineohP (2006) PeID, v0.94, May.
22. Kim, S., Tsui, K. and Borodovsky, M. (2006) ‘Multiple hypothesis testing in large-scale contingency tables: inferring pair-wise amino acid patterns in b-sheets’, Journal of Bioinformatics Research and Applications, Vol. 2, No. 2, pp.193–217.
23. Kraus, J. (1980) Selbstreproduktion bei Programmen, Universität Dortmund Fachschaft Informatik, Diplomarbeit (unpublished), Dortmund, Germany, February, pp.72–94.
24. Kruegel, C., Kirda, E., Mutz, D., Robertson, W. and Vigna, G. (2005) ‘Polymorphic worm detection using structural information of executables’, Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Seattle, WA, September.
25. Li, W., Wang, K., Stolfo, S. and Herzog, B. (2005) ‘Fileprints: identifying file types by n-gram analysis’, Proceedings of the 2005 IEEE Workshop on Information Assurance, USMA West Point, NY, June.
26. Limpert, E., Stahel, W. and Abbt, M. (2001) ‘Log-normal distributions across the sciences: keys and clues’, BioScience, Vol. 51, No. 5, pp.341–352.
27. Mathworks Inc. and US National Institute of Standards (2005) JAMA: A Java Matrix Package, v. 1.0.2, Natick, MA and Gaithersburg, MD, July.
28. Mitzenmacher, M. (2003) ‘Dynamic models for file sizes and double pareto distributions’, Internet Math, Vol. 1, No. 3, pp.305–333.
29. Polychronakis, M., Anagnostakis, K. and Markatos, E.P. (2006) ‘Network-level polymorphic shellcode detection using emulation’, Proceedings of the Third Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Berlin, Germany, July.
30. Porst, S. (2005) InstructionCounter (IDA plugin), Trier, Germany, November.
31. Ries, C. (2005) ‘Automated identification of malicious code variants’, BA CS Honors Thesis (unpublished), Colby College, ME, May.
32. Rozinov, K. (2005) ‘Efficient static analysis of executables for detecting malicious behaviour’, MSc Thesis (unpublished), Polytechnic University, NY, May.
33. Spinellis, D. (2003) ‘Reliable identification of bounded-length viruses is NP complete’, IEEE Transactions on Information Theory, Vol. 49, No. 1, pp.280–284.
34. Szor, P. (2005) The Art of Computer Virus Research and Defense, Upper Saddle River, NJ: Addison-Wesley Professional, February.
35. Szor, P. and Ferrie, P. (2001) ‘Hunting for metamorphic’, Proceedings of the 11th Virus Bulletin Conference, Prague, Czech Republic, September, pp.123–144.
36. Turing, A. (1936) ‘On computable numbers with an application to the Entscheidungsproblem’, Proceedings of the London Math Society, Vol. 42, No. 2, pp.230–265.
37. VMWare Inc. (2005) VMWare Player, v 1.01, Palo Alto, CA, December.
38. Weber, M., Schmid, M., Schatz, M. and Geyer, D. (2002) ‘PEAT- a toolkit for detecting and analyzing malicious software’, Proceedings of the 18th Annual Computer Security Applications Conference, Washington, DC, December.
39. Wikipedia (2006) X86_instruction_listings, Accessed on 6 June 2006.
40. Woo, C. (2005) ‘Cramer’s V’, PlanetMath.org, San Francisco, CA, April.
41. Yamauchi, H., Kanzaki, Y., Monden, A., Nakamura, M. and Matsumoto, K. (2006) ‘Software obfuscation from crackers’ viewpoint’, Proceedings of the 2nd IASTED International Conference on Advances in Computer Science and Technology, Puerto Vallarta, Mexico, January, pp.286–291.
42. Zakon, R. (2006) Hobbes’ Internet Time Line, v.8.2, North Conway, NH, November.