Static analysis of executables to detect malicious patterns

Mihai Christodorescu and Somesh Jha.

In 12th USENIX Security Symposium.

Washington, DC, August 2003.

Malicious code detection is a crucial component of any defense mechanism. In this paper, we present a unique viewpoint of malicious code detection. We regard malicious code detection as an obfuscation-deobfuscation game between malicious code writers and researchers working on malicious code detection. Malicious code writers attempt to obfuscate the malicious code to subvert the malicious code detectors, such as anti-virus software. We tested the resilience of three commercial virus scanners against code obfuscation attacks. The results were surprising: the three commercial virus scanners could be subverted by very simple obfuscation transformations! We present an architecture for detecting malicious patterns in executables that is resilient to common obfuscation transformations. Experimental results demonstrate the efficacy of our prototype tool, SAFE (a static analyzer for executables).

Paper: [pdf] [ps] [html]
Slides: [ppt] [pdf]

An earlier version of this paper appeared as a technical report:

Static analysis of executables to detect malicious patterns.

Mihai Christodorescu and Somesh Jha.

Technical Report #1467, Computer Sciences Department, University of Wisconsin.

Madison, Wisconsin, February 2003.

Technical report: [pdf] [ps]

This page updated October 14, 2005.