analysis and detection of computer viruses and worms

8/11/2019 Analysis and Detection of Computer Viruses and Worms

1/7


2/7

output of the analysis phase. A br ief descr ip t ion

of a prototype tool i s al so g iven.

Mat t B i shop , An Overv i ew o f Com put er

Viruses in a Rese arch Envi ronm ent , Techn ical

Repor t b i shop92overview, 1992

h t tp : //www. j a .ne t/CERT/JANET -CERT/

This paper analyzes v i rus in a general

f r amework . A b r i e f h i s to ry o f com pu t er v iru ses

is presented and any presence of threat relevant

t o r esearch and deve l opmen t sys t ems has been

investigated. It exa min es severa l specific areas

on vulnerabi l i ty in research-or iented systems.

Vesse l in Bontchev, Vircing the Invi rcib le,

M ay 1995, Not publ i shed in pr in t, avai lable at

h t tp : / /www.claws-and-paws.com/vi rus/papers/

This i s a detai led technical ev aluat ion of an

exist in g antiviral softwa re, called Invircible. It

reflects on the degre e of responsibil ity, that an

ant iv i rus company needs to shoulder , whi le i t

provides i t s product informat ion to users . The

author has detai led on the test s and procedures

he has used to evaluate Invi rcib le product ' s

claimed features and proves that the claims are

far f rom real ity . The w ri te-up i s o ld in terms of

providing techniques for ant iv i rus sof tware

funct ional i ty but i s s t i l l informat ive on giving

ideas on d esigning ant iv i rus sof tware.

Vesse l in Bontchev, M acro Virus Ident i f icat ion

Problem s, 7 th In ternat ional Virus Bul let in .

Con ferenc e, pp. 175-196, 1997

This p aper d iscusses som e in terest ing theoret ical

problems to ant i -v i rus sof tware. Tw o viral set s of

macros can have comm on subse t s o r one o f the

sets could be a subset of the o ther . The paper

discusses the problems caused by th is . I t

emphasizes the d i f f icul t ies that could be

exploi ted by the v i rus wri ters and methods,

wh ich c ould be fo l lowed to tackle i t.

Vesse l i n Bon t chev , Met hodo l ogy o f Com put er

Ant i -Virus Research, Doc toral Thesis , Facul ty

of Informat ics , U niversi ty of Ham burg, 1998

This thesis i s a detai led wri t ing on computer

vi ruses. I t can be t reated as a def in i t ive text on

under s t and i ng and dea l i ng wi t h compu t er

vi ruses. The important topics d iscussed in th is

work include classi f icat ion and analysis of

computer v i ruses , s tate of ar t in ant i -v i rus

sof tware, possible at tacks against ant i -v i rus

sof tware, tes t methods for ant i -v i rus sof tware

systems and social aspects of v i rus problem. I t

al so discusses useful appl icat ions of sel f -

replicating software.

Vesse l in Bon t chev , Anal ys is and mai n t enance

of a clean virus l ibrary, Proc. 3 d Int . Virus Bull .

Conf., pp. 77-89, 1993

This provides the methods adopted to faci l i tate

t he mai n t enance o f l a rge am oun t s o f d i f fe r en t

vi rus sam ples for the sak e of ant i -v i rus research.

The paper p resen t s gu i de l i nes and p rocedures

used to maintain v i rus col lect ion at the universi ty

o f Hambu rg ' s Vi rus Te s t Cen ter .

Vesse l i n Bon t chev , The Pros and C ons o f

Wo rdBas i c Vi rus Upconver s i on , Vesse l i n

Bontchev, P roceed ings of the 8 th In ternat ional

Virus Bul let in Conference, pp. 153-172, 1998

Th i s paper d i scusses t he e t h i ca l p rob l em faced

by ant i -v i rus researchers due to the automat ic

Upconver s i on o f WordBas i c Vi ruses t o Vi sua l

Basic for Appl icat ions version 5 . Since a macro

v i rus wr i t t en i n one l anguage has be

automat ical ly conver ted to another language i t i s

yet another unique vi rus . Due to th is inherent

f ea t u re o f MS O f f ice 97 , v i ru s r esearchers have

to create new vi rus to prepare an ant idote. A side

effect of th i s act iv i ty has repor tedly been that

these upcon ver t s are created and off icial ly

l i s ted as exis t ing in some ant i -v i rus product

st imulates thei r creat ion and dis t r ibut ion by the

v i rus exchange peop l e . The au t ho r has g i ven

suggested solut ions for th i s problem.

Vesse l i n Bon t chev , Fu t u re Trends in Vi rus

W ri t ing, 4 th In ternat ional Virus Bul let in

Conference, pp. 65-82, 1994.

Th i s paper summ ar i zes som e i deas tha t a r e l i ke ly

t o be used by v i rus wr i t e r s i n t he fu t u re and

sugges ts t he k i nd o f measu res t ha t cou l d be t aken

against them.

Vessel in Bontch ev, Possible Virus At tacks

Agai ns t In t eg ri t y Prog rams And H ow t o Preven t

Them, Proceed i ngs o f t he 6 t h In t e rna t iona l

Virus Bul let in Conference , pp. 97-127, 1996.

Th i s paper d i scusses t he w ays o f a t t ack ing one o f

t he m os t power fu l met hods o f v iru s de t ec t ion on

integr i ty checking programs. I t demonst rates

wha t can be done a gainst these at tacks.

Dav i d M. Chess , V i rus Ver i fi ca t ion and

Rem oval Too l s and Techn i ques , H i gh In t eg ri ty

Comput i ng Lab , IBM T. J . Wat son Research

Center , Post Off ice Box 218, York town Heights ,

NY , USA, Novem ber 18 , 1991 .

ww w. research, ibm. com/ant iv i rus/SciPapers/Che

ss/CHESS/chess .h tml

A C M S I G P L A N N o ti c es

30

V . 3 7 ( 2 ) F e b r u a r y 2 2


3/7

This paper describes VERV, A Prototype Virus

Verifier and Remover, and a Virus Description

Language for VERV.

David Chess, Future of Viruses on the

Internet, Virus Bulletin Conference, San

Francisco, California, October 1-3, 1997.

This paper discusses the role of the Internet in

the Virus problem. It reasons for the availability

of better-equipped crisis teams that may arise

due to the continued growth of the Internet.

Integrated mail systems and the rise in mobile

program systems on the Internet have impacted

the trends in virus spread. The deployment of

network aware software systems on the Internet

has contributed positively to the spread of

network-aware virus. The paper briefly lists

some generic features of the software, which aid

in virus spread.

David M Chess and Steve R. White, An

Undetectable Computer Virus, Virus Bulletin

Conference, September 2000

This paper extends Fred Cohen's demonstration

on computer Viruses that there is no algorithm

that can perfectly detect all possible viruses. This

paper points out that there are computer viruses,

which no algorithm can detect, even under

somewhat more liberal definition of detection.

Fred Cohen, A Formal Definition of Computer

Worms and some related Results, Computers

and Security, Vol. 11, pp. 641-652 (1992)

A formal definition for computer worms has

been presented. The definition is based on

Turing's model of computation.

Fred Cohen, Computational Aspects of

Computer Viruses, Computers and Security,

Vol. 8, No. 4., page 325, 1 June 1989.

It presents a model for defining computer

viruses. It formally defines a class of sets of

transitive integrity-corrupting mechanisms called

viral-sets and explores some of their

computational properties.

Fred Cohen, Computer Viruses-Theory and

Experiments, Computers and Security, Volume

6 (1987), Number 1, pp. 22-35.

This paper brought the term computer viruses

to general attention. It describes computer

viruses and also describes several experiments in

each of which all system rights were granted to

an attacker in under an hour.

Fred Cohen, Computer Viruses, Ph.D. thesis,

University of Southern California, 1985.

This is the first formal work in the field of

computer viruses.

Fred Cohen, Models of Practical Defenses

Against Computer Viruses , Computers and

Security, Vol. 8, pp. 149-160 (1989)

This paper models complexity based virus

detection mechanisms, that detect modifications

and thereby prevent computer viruses from

causing secondary infections. These models are

then used to show how to protect information in

both trusted and untrusted computing bases,

show the optimality of these mechanisms, and

discuss some of their features. The models

indicate that we can cover changes at all levels of

interpretation with a unified mechanism for

describing interdependencies of information in a

system and discuss the ramifications of this

unification in some depth.

George I. Davida, Yvo G. Desmedt, and Brian J.

Matt, Defending Systems Against Viruses

through Cryptographic Authentication,

Proceedings of the 1989 IEEE Symposium on

Computer Security and Privacy, pp. 312-318,

1989

This paper describes the use of cryptographic

authentication for controlling computer viruses.

The objective is to protect against viruses

infecting software distributions, updates, and

programs stored or executed on a system. The

authentication scheme determines the source and

integrity of an executable, relying on the source

to produce virus-free software. The scheme

presented relies on a trusted device, the

authenticator, used to authenticate and update

programs and convert programs between the

various formats. In addition, each user' s machine

uses a similar device to perform run-time

checking.

M. Debbabi et al., Dynamic Monitoring of

Malicious Activity in Software Systems,

Symposium on Requirements Engineering for

Information Security (SREIS'01), Indianapolis,

Indiana, USA, March 5-6, 2001.

The authors discuss a dynamic monitoring

mechanism, comprising of a watchdog system,

which dynamically enforces a security policy.

The authors reason this approach by stating that

static analysis technique will not be able to

detect malicious code inserted after the analysis

has been completed. This paper discusses a

dynamic monitor called DaMon. This is capable

ACM SIGPLAN Notices 31 V. 37(2) February 2002


4/7

of s topping cer tain mal icious act ions based on

the com bined ac cesses to cr i t ical resources ( f i les ,

com mun icat ion por t s , regis try , processes and

threads) according to rudimentary specifications.

Denning, P. , The Science of Comput ing: T he

Internet W orm, Am erican Scient is t , Vol. 77 ,

No. 2 , Pages 126-128, March 1989.

A wri te-up on the November 1988 Internet

W orm incident . This pa per g ives a br ief note on

how the In ternet W orm w orked. I t al so d iscusses

the concerns ar i s ing due to the worm incident on

the n etworks o n wh ich com merce , t ransportation,

uti li t ies, defen se, space fl ight and other cri t ical

act iv i ties depended.

Ma rk W. Ei ch i n and Jon A. Roch l i s

W i t h Mi croscope and Tweezer s : An Anal ys i s o f

the In ternet Vi rus of No vem ber 1988,

Ma ssachuse t t s Inst itu te of Techno logy,

Cambridge, MA , February 9, 1989

This paper def ines the In ternet W orm as a

Virus. Rea soning has been presented to

substan tiate this classification. It discus ses the

goals of the teams w orking on the Virus, an d the

met hods t hey empl oyed , and summar i zes what

the vi rus d id and did not actual ly do. The paper

discusses in more detai l the s t rategies i t

employed, the speci f ic at tacks i t used, and the

effect ive and ineffect ive defenses proposed by

the communi ty against i t . I t descr ibes how the

g roup a t MIT found ou t and r eac t ed t o t he

Virus cr i s i s of 1988. It d iscusses the f laws that

were exploi ted to at tack systems and propagate

across the In ternet. I t al so enumerates m ethods

of prevent ing future at tacks a nd problems.

Gl e i s sner W, A Mat hemat i ca l Theory fo r t he

Spread o f Com put er Vi ruses , Comput er s and

Security, V ol. 8, No. 1, Pag e 35, 1 Feb ruary

1989.

No description available.

J . D. Howard. An Analysis of Secur i ty Incidents

on the In ternet 1989-1995, Ph.D. Disser tation,

Carnegie Mel lon Universi ty : Carnegie Inst i tu te

of Technology, April 1997

This d isser tat ion analyses the t rends in the

Internet Secu rity by investiga ting 4,299 securi ty-

related incidents on the In ternet repor ted to the

CERT Coord i na t i on Cen t er (CERT/CC) f rom

1989 to 1995.

C. Ko, G. Fink, and K. Levi tt . Autom ated

detect ion of vulnerabi l i t i es in pr iv i leged

program s by execut ion moni tor ing, In Proc. 10 h

Annual Computer Secur i ty Appl icat ion Conf . ,

pp. 134-144, Orlando, FL, December 1994.

This paper uses concepts of solving Int rusion

Detect ion Problems to detect vulnerabi l i t i es in

programs dur ing execut ion. Since the in tended

behav i o r s o f p r i v il eged p rog rams are ben i gn , a

p rog ram po l i cy has been deve l oped t o descr i be

this behavior , using a program pol icy

speci f icat ion language. Speci f icat ions of

p r i v i l eged p rog rams i n Un i x have been

presented, along wi th a prototype execut ion

moni tor , to analyze the audi t t rai l s wi th respect

to this specification.

Jeff rey O K ephar t and Steve R. Whi te,

Measu r i ng and Model i ng Comput er Vi rus

Preva l ence , P roceed i ngs o f t he 1999 IEEE

Comput er Soc i e t y Sympos i um on Research i n

Secu rity and Privac y, Oa kland , California, pp. 2-

14, M ay 24-25, 1993

Th i s paper i n t roduces t wo new ep i demi o l og i ca l

mod els of com puter v i rus spread. Only a smal l

f r ac ti on o f a l l w el l -known v i ruses have appeared

in real incidents , par t ly beca use ma ny vi ruses are

below the theoret ical epidem ic threshold . Mod els

o f l oca l i zed so f t ware exchange can exp l a i n t he

observed sub-ex ponent ial rate of v i ral spread.

Jeff rey O. Kepha r t , G regory B. Sorkin, M orton

Swi mm er , and S t eve R . W hi t e B l uep r i n t fo r a

Com put er Imm une Sys t em, Vi rus Bu l l e ti n

Internat ional Conference San Francisco,

California, October 1-3, 1997

Since the in ternet wi l l provide a fer t i le medium

for new b reeds o f compu t er v i ru ses, t he au t ho rs

have descr i bed a i mmune sys t em fo r compu t er s

t ha t senses t he p resence o f a p rev i ous l y unknown

pathogen that wi th in minutes , automat ical ly

der ives and deploys a prescr ip t ion for detect ing

and r emov i ng t he pa t hogen

Jeff rey O. Kephar t and Steve R. Whi te,

Di rec t ed -Graph Ep i demi o l og i ca l Model s o f

Com put er Vi ruses, P roceed i ngs o f t he 1991

IEEE Comput er Soc i e t y Sympos i um on

Research i n Secu r i t y and Pr i vacy , Oak l and ,

California, M ay 20-22, 1991

Th i s paper p resen t s a de t a il ed s t udy o f compu t er

vi rus epidemics. I t presents a theoret ical v iew of

the vi ral propagat ion using determinist ic and

stochast ic approaches. I t s tudies the condi t ions

under which vi ral epidemics are l ikely to occur .

I t argues that an imperfect defense against a

com puter v i rus ca n s t il l be h ighly ef fect ive in

p reven t ing wi desp read p ropagat i on p rov i ded t ha t

A C M S I G P L A N N o t i c e s 3 2 V . 3 7 ( 2 ) F e b r u a r y 2 0 0 2


5/7

infect ion rate does not exceed a wel l -def ined

threshold.

Jeff rey O. Kephar t , Bi l l Arnold , Autom at ic

Ext ract ion of Computer Virus Signatures ,

Proceedings of the 4 th V irus Bul let in

Internat ional Conference, R. Ford, ed . , Vi rus

Bullet in Ltd., Abingdon, England, pp. 178-184,

1994

This p aper d iscusses the idea of automat ical ly

ident i fy ing vi ral s ignatures f rom machine code

using statistical methods.

Paul Kerchen, Raymond Lo, John Crossley ,

Grigory Elkinbard, Karl Levit t , Ronald Olsson,

Stat ic Analysis Virus Detect ion Tools For Unix

Systems, Proceed ings of the 13th Nat ional

Com puter Secur i ty Conference, pages 350-- 365,

1990.

This paper proposes two heur is t ic tools the use

stat ic analysis and ver i f icat ion techniques for

de t ec t i ng compu t er v i ru ses i n a UNIX

environment. The tools should be used to detect

infected programs be fore thei r instal lat ion. The

first tool , detec tor , searc hes for duplic ate

system cal ls in the com pi led and l inked program,

the secon d tool, Fil ter , uses stat ic analys is to

determine al l of the f iles, w hich a program m ay

wri te to . By f inding out the f i les to which the

p rog ram can o r canno t w r it e , the p rog ram can be

ident i fied as a mal icious or benign.

Sandeep Kum ar , Euge ne Spafford , Gen er ic

Virus Sca nner in C++, Proceedings of the 8 h

Com puter Secur i ty Appl icat ions Conference, pp.

210-219, Coast TR 92-01, 2-4 Dec 1992

This paper d iscusses a gener ic v i rus detect ion

tool designed for recognizing vi ruses across

different platforms. The pa per ini tial ly discuss es

var ious me thods of v i rus detect ion and then

descr ibes a gener ic s ignature scanner as an ant i -

virus tool.

Bu t l e r W. Lampson , A No t e on t he

Confinem ent Problem, Xerox, Palo Al to Center ,

Comm uni ca ti ons o f the AC M, Vo l . 16, No 10 . ,

1973

This pa per explores the problem of conf ining a

program dur ing i t s execut ion so that i t cannot

leak informat ion to any other program e xcept i t ' s

cal ler . A few ways of the above ment ioned

i n fo rmat i on l eakage p rob l em have been g i ven

wi th solut ions to prev ent i t .

W enke Lee and Salvatore J . Stolfo Da ta

Mining Approaches for In t rusion Detect ion,

Proceed i ngs o f the 7 t h USE NIX Secur it y

Sympos i um, 2000

This paper d iscusses research in developing

general and systemat ic methods for In t rusion

Detect ion. Ideas f rom pat tern recogni t ion and

mach i ne l earn i ng have been used t o d i scover

p rog ram and user behav i o r . D i scovered sys t em

features have been used to compute induct ively

learned classi f iers that can ident i fy anomal ies

and known intrusions.

R. W. Lo, K. N. Levit t , and R. A. Olsson. MC F:

A M al icious Code Fi l ter , Com puters and

Security, 14(6): 541-566, 1995.

This paper d iscusses a programmable s tat ic

Analysis tool cal led Ma l icious Code Fil ter ,

MCF, to detect mal icious code and secur i ty

related vulnerabi l i t i es in system programs. The

M C F u s e s

t e l l t a l e

signs to determine whether a

program is mal icious wi thout requi r ing a

programmer to provide a formal speci f icat ion.

Program sl icing techniques are used to reason

about

t e l l t a l e

m aliciou s properties. By

combi n i ng t he t e l l t a l e s i gn app roach wi t h

program slicing, a sm al l subset of a large

p rog ram can be exami ned fo r mal i c i ous

behav i o r . The paper a l so d i scusses how t he

approach can be defea t ed and t hen d i scusses a

countermeasure.

John P. McDermot t and Wil l iam S. Choi ,

Taxonomy o f Comput er P rog ram Secur i t y

Flaws, AC M Com put ing Surveys, 26(3) : 211-

254, 1994.

This paper def ines secur i ty f laws as any

condi t ions or ci rcumstances that can resul t in

denial o f service, unau thoriz ed disclosure,

unauthor ized dest ruct ion of data, or unauthor ized

mod i f i ca ti on o f da t a . The t axonomy def i ned i n

this paper organizes informat ion about f laws so

t ha t as new f l aws a re added user s wi l l ga i n a

fu l l e r under s t and i ng o f wh i ch par t s o f sys t ems

and which par t s of the system l i fe cycle are

generat ing more secur i ty f laws than others . The

me thodology i s s imi lar to the one developed by

Research i n Secu red Opera t ing Sys t ems (RISOS)

project and Protect ion Analysis project

conducted by Informat ion Sciences Inst i tu te of

the Universi ty of Southern Cal i fornia, both of

whom a t t empt ed t o charac t e r i ze opera t i ng

system securi ty flaws.

John F. Mo rar , Da vid M Chess, Can

Cryp t og raphy Preven t Comput er Vi ruses? Vi rus

Bul let in Conference, September 2000

A C M S I G P L A N N o t i c e s 3 3 V . 3 7 ( 2 ) F e b r u a r y 2 0 0 2


6/7

The relationship between cryptography and virus

prevention is complex. Solutions to the virus

prevention problem involving cryptography have

been proposed, though these solutions do not

contribute much to the prevention techniques

prevalent at present. This paper discusses the

role of encryption in the field of virus authoring

and in the field of Anti-Virus research.

Maria M. Pozzo and Terence E. Gray, An

Approach to Containing Computer Viruses,

Computers and Security, Volume 6 (1987), No.

4, pp. 321-331.

This paper presents a mechanism for containing

the spread of computer viruses by detecting at

run-time whether or not an executable has been

modified since its installation. The detection

strategy uses encryption and is held to be better

for virus containment than conventional

computer security mechanisms, which are based

on the incorrect assumption that preventing

modification of executables by unauthorized

users is sufficient. Although this detection

mechanism is most effective when all the

executable on a system are encrypted, a scheme

is presented that shows the usefulness of the

encryption approach when this is not the case.

J. Reynolds, The Helminthiasis of the Internet,

RFC1135, Information Systems Institute,

University of Southern California, Dec 1989

This RFC summarizes the infection and cure of

the Internet Worm. It discusses the impact of the

worm on the Internet community, ethics

statements, role of the news media, rime in the

computer world, and filture prevention of such

incidents. This RFC also reviews four

publications that describe in detail, the computer

program (a.k.a. Internet Worm or Internet Virus)

that infected the Internet in the evening of

November 2, 1988

Fred Schneider. Enforceable Security Policies.

Cornell University,

http://cstr , cs. co rn ell , edu: 80/Dienst/U1/1. O/Displ

_qy_/ncstrLc o r n e l l / T R 9 9 - 1 7 5 9

A precise characterization is given for the class

of security policies enforceable with mechanisms

that work by monitoring system execution.

Security automata are introduced for specifying

exactly the class of security policies discussed.

Techniques to enforce security policies specified

by such automata are also discussed.

Mathew G. Schultz, Eleazar Eskin, Erez Zadok

and Salvatore J. Stolfo, Data Mining Methods

for Detection of New Malicious Executables,

Computer Science Department, Columbia

University, New York, USA.

This paper presents a framework for detection of

malicious executables with viral characteristics.

The motivation for this work is that signatures

for new viruses are not known and hence the data

mining technique presented in this work will be

able to solve this problem in a better way than

the current signature-based methods of virus

detection. The paper compares results of

traditional signature based methods with the

other learning algorithms. The Multi-Naive

Bayes method had the highest accuracy and

detection rate over unknown programs and had

double the detection rates of signature-based

methods.

John F. Shoch and Jon A. Hupp, The Worm

Programs-Early Experience with a Distributed

Computation, CACM, 25(3): 172-180, 1982

This is an exploratory paper for its time. This

paper discusses issues found in the early

exploration of distributed computing. Authors

talk about the motivations and definitions for a

worm program from the distributed computation

perspective. Not much work had been done in

building distributed systems in 1982. The

authors wanted to obtain real experience (similar

to Arpanet routing and Grapevine). The worm is

a computation that lives on one or more

machines. The piece on an individual computer

is a segment. The segments maintain

communications, so that if one fails another can

be started in its place on another machine.

They also talk about the protocols and problems

in controlling the growth of worm programs.

Multi-casting is used to maintain

communication. If a host is not heard for a

period of time it is assumed dead and removed

from the worm. A specified segment is given the

responsibility for finding a new idle machine.

The biggest problem is controlling growth while

maintaining stable behavior. A few applications

of the worm programs are also discussed.

Eugene H. Spafford, The Internet Worm

Program: A n Analysis, ACM Computer

communication review, 19(1), pp. 17-57, Jan

1989

This paper is an analytical commentary on the

Internet Worm program, which infected the

Internet on the evening of November 2na1988.

The paper defines Worms and Viruses. It

discusses the flaws in computer systems that

were exploited by the Worm to spread across the



7/7

Internet. Patches to these flaws are also

discussed. A high level description of the

functioning of the Worm program is also

provided. The paper then carries a detailed

analysis of the Worm.

Eugene H. Spafford, Computer Viruses as

Artificial Life, Department of Computer

Sciences, Purdue University, West Lafayette, IN

47907-1398, COAST TR 94-02, 1994

This paper talks about how computer viruses

operate, their history, and the various ways

computer viruses are structured. It then examines

how viruses meet properties associated with life

as defined by some researchers in the area of

artificial life and self-organizing systems. The

paper concludes with some comments directed

towards the definition of artificially alive

systems and related experiments.

Gerald Tesauro, Jeffrey O. Kephart, Gregory B.

Sorkin, Neural Network for Computer Virus

Recognition, IEEE Expert, vol. 11, no. 4, pp. 5-

6, Aug 1996

This paper describes a neural network for generic

detection of boot sector viruses that infect the

boot sector of a floppy disk or a hard drive.

K Thompson, Reflections on Trusting Trust,

Comm. ACM 27(8), 761-763 (August 1984)

This ACM classic highlights the issues of

trusting a third party. Thompson explains how a

b a c k d o o r can be inserted in a C compiler, which

in turn will insert a

b a c k d o o r

in the Unix login

program. The

b a c k d o o r

may give unauthorized

access into a system.

David Wagner, Drew Dean, Intrusion Detection

via Static Analysis, IEEE Symposium on

Security and Privacy, May 2001

This paper describes static analysis methods for

host based intrusion detection using program

specification for its internal behavior. The

specification is automatically derived for the

program under analysis. It involves a

combination of dynamic monitoring and static

analysis to reduce false alarms during detection.

Ian Whalley, Bill Arnold, David Chess, John

Morar, Alia Segal, Nortan Swimmer, An

Environment for controlled Worm Replication

and Analysis or: Internet-inna-Box, Virus

Bulletin Conference, September 2000

The paper outlines a functional prototype of a

worm replication system. Techniques and

mechanisms for constructing and utilizing an

environment enabling the automatic examination

of worms and network bases viruses have been

described. The paper involves a very brief

description of some well-known worms from the

past and the present. It elaborates on techniques

used by worms to spread across networks.

Finally an anatomy of the worm replicator

system is presented.

Steve R. White, Open Problems in Computer

Virus Research, Virus Bulletin Conference,

Munich, Germany, October 1998

This paper identifies some challenging open

issues on computer virus detection and

protection. It lists out five problems in this field,

namely, Development of New Heuristics for

virus detection, the study of viral spread and

epidemiology, deploying distributed digital

immune system for detecting new viruses,

detection of worm programs and proactive

approaches towards detection of virus programs.

Tarkan Yetiser, Polymorphic Viruses,

Implementation, Detection and Protection,

VDS Advanced Research Group, P.O. Box 9393,

Baltimore, MD 21228, USA.

http://www.bocklabs.wisc.edu/-janda/polymorph

.html

Discusses Polymorphic viruses and engines. It

looks at general characteristics of polymorphism

as currently implemented.


analysis and detection of computer viruses and worms

Documents