Defeating Polymorphism: Beyond Emulation White Paper

Naviga SWZ: Home Page » News
News del 03 Dicembre 05 Autore: RostoR
The most used method of detecting malware relies on signatures extracted from the malware body. Attempting to defeat this method and evade detection, malware writers have resorted to code obfuscation techniques, thus creating polymorphic viruses. There are several well-known methods of decrypting polymorphic viruses, such as emulation, cryptanalysis (X-Ray) and dedicated decryption routines. Each of these methods has some limitations: X-Ray can only handle simple decryptions; dedicated routines require significant development effort and neither scales well with the number of detected viruses. Emulation doesn't have these weaknesses but emulating code is significantly slower than executing it on a real CPU. Therefore a very complex polymorphic virus would take unreasonably long to emulate until it is decrypted. This white paper proposes a new method of dealing with polymorphic malware. The method relies on dynamically disassembling the analysed code and performing just-in-time compilation targeted for the host CPU. The code obtained as a result can be safely executed on the host CPU, with little degradation in execution speed, compared to the original code. This provides the same flexibility as emulation, but performance, in terms of speed, is dramatically improved. Additionally, the method could be used for other purposes, such as generic unpacking of packed executables, and behaviour-based analysis of complex code. This white paper was originally presented at the 2005 Virus Bulletin Conference in Dublin, Ireland, on October Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP12 Dicembre 2005
Inserisci un commento sul forum Commenta la News sul Forum


Categoria: Windows

Licenza: Freeware

Dimensioni: 460 Kb

La Community di

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum


Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter