Title :
A concept for monitoring self-transforming code using memory page access control management
Author :
Maaser, Christian ; Baier, Harald
Author_Institution :
Center for Adv. Security Res. Darmstadt (CASED), Univ. of Appl. Sci., Darmstadt, Germany
Abstract :
Current antivirus software still focuses on using signature based algorithms on file content level to detect malware. Unfortunately, there is a simple way to circumvent this detection method: The malware author applies a code transformation algorithm (e.g. a packing or encryption scheme) to his malware plaintext and saves the reverse transformation algorithm along with the unsuspicious looking block of transformed mal-ware. Malware, which is obfuscated in that way, is called polymorphic malware. We call the transformation of the plaintext to the transformed malware as encoding and the reverse operation as decoding. Although current malware detection systems adopted and implemented several techniques to counter this, these methods are mostly either unreliable or suffer heavy performance drawbacks. We present a non-intrusive and lightweight method to monitor any executable code in real-time, which allows efficient detection of polymorphic malware.
Keywords :
authorisation; decoding; invasive software; paged storage; transform coding; antivirus software; code transformation algorithm; decoding; encoding; malware detection systems; malware plaintext; malware transformation; memory page access control management; nonintrusive lightweight method; obfuscation; polymorphic malware; reverse transformation algorithm; self-transforming code monitoring; unsuspicious looking block; Decoding; Encoding; Linux; Malware; Monitoring; Operating systems; Malware detection; NX bit; memory manager; obfuscation; polymorphic code;
Conference_Titel :
Security Technology (ICCST), 2011 IEEE International Carnahan Conference on
Conference_Location :
Barcelona
Print_ISBN :
978-1-4577-0902-9
DOI :
10.1109/CCST.2011.6095942
