Mimimorphism: A new approach to binary code obfuscation

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 536-546

  Wu, Zhenyu ^a   Gianvecchio, Steven ^a   Xie, Mengjun ^a   Wang, Haining ^a  

^a Dept of Economics and Thomas Jefferson Program in Public Policy at the College of William and Mary   (United States)

Author keywords

Binary obfuscation; Mimicry attack

Indexed keywords

BINARY OBFUSCATION; BYTE FREQUENCY DISTRIBUTIONS; CODE OBFUSCATION; CONTROL FLOWS; EXECUTABLES; HIGH-ORDER; MALWARES; MIMIC FUNCTION; MIMICRY ATTACK; NEW APPROACHES; SEMANTIC ANALYSIS; SEMANTIC APPROACH; STATISTICAL ANOMALY DETECTION; STATISTICAL PROPERTIES;

COMPUTER CRIME; SEMANTICS; STATISTICS; SYNTACTICS;

STATIC ANALYSIS;

EID: 78650018640     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866368     Document Type: Conference Paper

References (41)

1. H.-A. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in Proceedings of 13th USENIX Security Symposium, 2004.
2. C. Kreibich and J. Crowcroft, "Honeycomb: creating intrusion detection signatures using honeypots," in Proceedings of 2nd Workshop on Hot Topics in Networks (Hotnets-II), 2003.
3. Z. Li, M. Sanghi, B. Chavez, Y. Chen, and M.-Y. Kao, "Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience," in Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P), 2006.
4. J. Newsome, B. Karp, and D. Song, "Polygraph: Automatically generating signatures for polymorphic worms," in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P), 2005.
5. S. Singh, C. Estan, G. Varghese, and S. Savage, "Automated worm fingerprinting," in Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), 2004.
6. P. Szor, The Art of Computer Virus Research and Defense. Symantec Press, 2005.
7. K. Wang, J. J. Parekh, and S. J. Stolfo, "Anagram: A content anomaly detector resistant to mimicry attack," in Proceedings of the 9th International Symposium on Recent Advanced in Intrusion Detection (RAID), 2006.
8. K. Wang and S. Stolfo, "Anomalous payload-based network intrusion detection," in Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
9. R. Lyda and J. Hamrock, "Using entropy analysis to find encrypted and packed malware," IEEE Security and Privacy, vol. 5, no. 2, pp. 40-45, 2007.
10. C. Kruegel, W. K. Robertson, F. Valeur, and G. Vigna, "Static disassembly of obfuscated binaries," in Proceedings of the 13th USENIX Security Symposium, 2004.
11. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Polymorphic worm detection using structural information of executables," in Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005.
12. Q. Zhang and D. S. Reeves, "MetaAware: Identifying metamorphic malware," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), 2007, pp. 411-420.
13. P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee, "Polymorphic blending attacks," in Proceedings of the 15th USENIX Security Symposium, 2006.
14. A. Moser, C. Kruegel, and E. Kirda, "Limits of static analysis for malware detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), 2007, pp. 421-430.
15. T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Underduk, "Polymorphic shellcode engine using spectrum analysis," Phrack Issue 0x3d, 2003.
16. S. Macaulay, "Admmutate: Polymorphic shellcode engine," http://www.ktwo.ca/security.html.
17. M. Khafir, "Trident polymorphic engine," http://vx.netlux.org/ lib/vx.php?id=et06.
18. F. Perriot, P. Ferrie, and P. Szor, "Striking similarities: Win32/simile," http://securityresponse.symantec.com/ avcenter/reference/ simile.pdf.
19. Z0mbie, "Automated reverse engineering: Mistfall engine," http://vx.netlux.org/lib/vzo21.html.
20. J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong, "On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits," in Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), 2005, pp. 235-248.
21. Y. Tang and S. Chen, "Defending against internet worms: a signature-based approach," in Proceedings of the 24th INFOCOM, 2005.
22. P. Fogla and W. Lee, "Evading network anomaly detection systems: formal reasoning and practical techniques," in Proceedings of the 13th ACM conference on Computer and communications security (CCS), 2006, pp. 59-68.
23. R. Perdisci, G. Gu, and W. Lee, "Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems," in Proceedings of the Sixth International Conference on Data Mining, 2006, pp. 488-498.
24. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif, "Misleading worm signature generators using deliberate noise injection," in Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P), 2006.
25. J. Newsome, B. Karp, and D. X. Song, "Paragraph: Thwarting signature learning by training maliciously." in Proceedings of the 9th International Symposium on Recent Advanced in Intrusion Detection (RAID), 2006.
26. M. V. Gundy, D. Balzarotti, and G. Vigna, "Catch me, if you can: Evading network signatures with web-based polymorphic worms," in Proceedings of 1st USENIX Workshop on Offensive Technologies, 2007.
27. S. Venkataraman, A. Blum, and D. Song, "Limits of learning-based signature generation with adversaries," in Proceedings of the 15th Annual Network and Distributed Systems Security Symposium (NDSS), 2008.
28. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant, "Semantics-aware malware detection," in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P), 2005.
29. J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith, "Detecting malicious code by model checking," in Proceedings of the 2nd International Conference Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2005, pp. 174-187.
30. V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha, "An architecture for generating semantics-aware signatures," in Proceedings of the 14th USENIX Security Symposium, 2005.
31. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang, "On the (im)possibility of obfuscating programs," in Proceedings of the 21st Annual International Cryptology Conference (CRYPTO), 2001.
32. D. Wagner and P. Soto, "Mimicry attacks on host-based intrusion detection systems," in Proceedings of the 9th ACM conference on Computer and communications security (CCS), 2002, pp. 255-264.
33. K. M. C. Tan, K. S. Killourhy, and R. A. Maxion, "Undermining an anomaly-based intrusion detection system using common exploits," in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), 2002.
34. J. Giffin, S. Jha, and B. Miller, "Automated discovery of mimicry attacks," in Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), 2006.
35. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Automating mimicry attacks using static binary analysis," in Proceedings of the 14th USENIX Security Symposium, 2005.
36. C. Parampalli, R. Sekar, and R. Johnson, "A practical mimicry attack against powerful system-call monitors," in Proceedings of the 2007 ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2007.
37. P. Wayner, "Mimic functions," Cryptologia, vol. 16, no. 3, pp. 193-214, 1992.
38. M. Matsumoto and T. Nishimura, "Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator," ACM Transactions on Modeling and Computer Simulation (TOMACS), vol. 8, no. 1, pp. 3-30, 1998.
39. T. E. Dube, B. D. Birrer, R. A. Raines, R. O. Baldwin, B. E. Mullins, R. W. Bennington, and C. E. Reuter, "Hindering reverse engineering: Thinking outside the box," IEEE Security and Privac, vol. 6, no. 2, pp. 58-65, 2008.
40. S. Debray, "Code compression," in Proceedings of the 7th International Symposium on Practical Aspects of Declarative Languages, 2005.
41. S. Debray and W. Evans, "Profile-guided code compression," in Proc. SIGPLAN '02 Conference on Programming Language Design and Implementation (PLDI), 2002.