| |
| |
Data loss, loss of productions, economic damages and annoyed users are only some consequences daily caused by viruses, worms and trojans. During the
last years the number of malicious software has increased steadily. Attacks from the internet are more frequently registered by companies and private
users. But only a fraction of these occurrences are reported, so that the actual number of registered claims is by far higher than assumed.
About two decades ago, the first virus was seen in the wild. Today we are faced with a variety of new genres of malicious software, such as worms,
trojans, backdoors and rootkits. Most of them are different in the way of their replication and infection mechanisms, but they all pursue the same
target. That can be lots of infections, great damage or economic success. These malicious creations are still getting trickier and more dangerous. To
escape detection, virus authors implement more and more different obfuscation mechanisms.
Anti virus developers must use new detection mechanisms to consist in the fight against virus authors. Static analysis with virus signatures has
become the standard in fighting against malicious code. They search in the binary code for a unique sequence of bytes, which is the fingerprint of the
dangerous software. However, with this method it is not possible to detect malware for which no clear virus signature exists yet.
The increased use of obfuscation mechanisms, such as encoding or metamorphic malware, also requires the support of semantic analysis methods.
In that process, a scanner does not search for a unique sequence of bytes. Rather it observes the behavior of potential malware. Particularly the
heuristic analysis has established itself as a generic detection method beside the integrity checker and the behavior blocker. It permits to remedy
the deficiencies of static analysis and identify unknown malware on the basis of its behavior.
Also obfuscation mechanisms show, depending on their implementation, stronger or weaker behavior patterns. Therefore it should be examined,
how far it is possible to extract suitable features from current obfuscation mechanisms to use them for heuristic detection. Particularly the behavioranalytical
quality of the heuristic makes it a suitable candidate.
Master-Thesis, University of Applied Science Hagenberg (May 2006)
Back to publications |
|
