Imposing Order on Program Statements to Assist Anti-Virus Scanners

Delft, The Netherlands November 08-November 12

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/WCRE.2004.24

11th Working Conference on Reverse En ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Arun Lakhotia Articles by Moinuddin Mohammed

	ASCII Text	x
	Arun Lakhotia, Moinuddin Mohammed, "Imposing Order on Program Statements to Assist Anti-Virus Scanners," Reverse Engineering, Working Conference on, pp. 161-170, 11th Working Conference on Reverse Engineering (WCRE 2004), 2004.

	BibTex	x
	@article{ 10.1109/WCRE.2004.24, author = {Arun Lakhotia and Moinuddin Mohammed}, title = {Imposing Order on Program Statements to Assist Anti-Virus Scanners}, journal ={Reverse Engineering, Working Conference on}, volume = {0}, year = {2004}, issn = {1095-1350}, pages = {161-170}, doi = {http://doi.ieeecomputersociety.org/10.1109/WCRE.2004.24}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Reverse Engineering, Working Conference on TI - Imposing Order on Program Statements to Assist Anti-Virus Scanners SN - 1095-1350 SP161 EP170 A1 - Arun Lakhotia, A1 - Moinuddin Mohammed, PY - 2004 KW - null VL - 0 JA - Reverse Engineering, Working Conference on ER -

Arun Lakhotia, University of Louisiana at Lafayette

Moinuddin Mohammed, University of Louisiana at Lafayette

A metamorphic virus applies semantics preserving transformations on itself to create a different variant before propagation. Metamorphic computer viruses thwart current anti-virus technologies that use signatures — a fixed sequence of bytes from a sample of a virus — since two variants of a metamorphic virus may not share the same signature. A method to impose an order on the statements and components of expressions of a program is presented. The method, called a "zeroing transformation," reduces the number of possible variants of a program created by reordering statement, reshaping expression, and renaming variable. On a collection of C program used for evaluation, the zeroing transformation reduced the space of program variants due to statement reordering from 10^183 to 10^20. Further reduction can be expected by undoing other transformations. Anti-virus technologies may be improved by extracting signatures from zero form of a virus, and not the original version.

Citation:

Arun Lakhotia, Moinuddin Mohammed, "Imposing Order on Program Statements to Assist Anti-Virus Scanners," wcre, pp.161-170, 11th Working Conference on Reverse Engineering (WCRE 2004), 2004

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.