Static Analysis of Executables to Detect Malicious Patterns.pdfVIP

Published on 10 February 2003 as Technical Report # 1467 at the Com- puter Sciences Department of the University of Wisconsin, M adison, US. Static Analysis of Executables to Detect Malicious Patterns Mihai Christodorescu and Somesh Jha fmihai,jhag@ 10 February 2003 Abstract Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint on malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers and researchers working on m alicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as anti-virus software. We tested the resilience of three commercial virus scanners against code obfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables). 1 Introduction In the interconnected world of computers, malicious code has become an omnipresent and dangerous threat. Malicious code can infiltrate hosts using a variety of methods such as attacks against known software flaws, hidden functionality in regular programs, and social engineering. Given the devastating effect malicious code has on our cyber infrastruc- ture, identifying malicious programs is an important goal. Detecting the presence of malicious