Malicious programs, such as viruses and worms, are frequently related to previous programs through evolutionary relationships. Discovering those relationships and constructing a phylogeny model is expected to be helpful for analyzing new malware and for establishing a principled naming scheme. Matching permutations of code may help build better models in cases where malware evolution does not keep things in the same order. We describe method for constructing phylogeny models that uses features called n-perms to match possibly permuted code. An experiment was performed to compare the relative effectiveness of vector similarity measures using n-perms and n-grams when comparing permuted variants of programs. The similarity measures using n-perms maintained a greater separation between the similarity scores of permuted families of specimens versus unrelated specimens. A subsequent study using a tree generated through suggests that phylogeny models based on may help forensic analysts investigate new specimens, and assist in reconciling malware naming inconsistencies.

Abstract Many malicious programs are just previously-seen programs that have had some minor changesmade to them. A slightly different variant hardly qualifies as a stealth attack: being 99 % the same as a known piece of malware should be a dead giveaway. This white paper describes amethod for searching database of programs for a match. The methods are adapted from ordinary text search and analysis; the key to making them work is in selecting the right aspectsof the programs to compare. The aspects compared are features called " n-perms " which areconstructed from abstracted, disassembled code. Two studies show that these methods can be

Abstract—To handle the growing flood of malware, security vendors and analysts rely on tools that automatically identify and analyze malicious code. Current systems for automated malware analysis typically follow a dynamic approach, executing an unknown program in a controlled environment (sandbox) and recording its runtime behavior. Since dynamic analysis platforms directly run malicious code, they are resilient to popular malware defense techniques such as packing and code obfuscation. Unfortunately, in many cases, only a small subset of all possible malicious behaviors is observed within the short time frame that a malware sample is executed. To mitigate this issue, previous work introduced techniques such as multipath or forced execution to increase the coverage of dynamic malware analysis. Unfortunately, using these techniques is potentially expensive, as the number of paths that require analysis can grow exponentially. In this paper, we propose REANIMATOR, a novel solution to determine the capabilities (malicious functionality) of malware programs. Our solution is based on the insight that we can leverage behavior observed while dynamically executing a specific malware sample to identify similar functionality in other programs. More precisely, when we observe malicious actions during dynamic analysis, we automatically extract and model the parts of the malware binary that are responsible for this behavior. We then leverage these models to check whether similar code is present in other samples. This allows us to statically identify dormant functionality (functionality that is not observed during dynamic analysis) in malicious programs. We evaluate our approach on thousands of realworld malware samples, and we show that our system is successful in identifying additional, malicious functionality. As a result, our approach can significantly improve the coverage of malware analysis results. I.

The adoption of existing technologies for digital curation, most especially digital capture, is outlined in the context of personal digital archives and the Digital Manuscripts Project at the British Library. Technologies derived from computer forensics, data conversion and classic computing, and evolutionary computing are considered. The practical imperative of moving information to modern and fresh media as soon as possible is highlighted, as is the need to retain the potential for researchers of the future to experience the original look and feel of personal digital objects. The importance of not relying on any single technology is also emphasised.

We present a new ontology for the classification of computer viruses and other forms of reproducing malware based on Gibson’s Theory of Affordances. We show how an existing method for reproducer classification can be specialised for malware classification, and give a worked example of how one might classify a Unix shell script virus in three different ways, depending on the particular reproductive model being used. Finally we suggest possible applications of our classification to the area of computer virus detection. 1

Abstract. In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.

We present a novel classification of computer viruses using a formalised notion of reproductive models based on Gibson’s theory of affordances. A computer virus reproduction model consists of: a labelled transition system to represent the states and actions involved in that virus’s reproduction; a notion of entities that are active in the reproductive process, and are present in certain states; a sequence of actions corresponding to the means of reproduction of the virus; and a formalisation of the actions afforded by entities to other entities. Informally, an affordance is an action that one entity allows another to perform. For example, an operating system might afford a computer virus the ability to read data from the disk. We show how computer virus reproduction models can be classified according to whether or not any of their reproductive actions are afforded by other entities. We give examples of reproduction models for three different computer viruses, and show how reproduction model classification can be automated. To demonstrate this we give three examples of how computer viruses can be classified automatically using static and dynamic analysis, and show how classifications can be tailored for different types of anti-virus behaviour monitoring software. Finally, we compare our approach with related work, and give directions for future research.

A malware phylogeny model is an estimation of the derivation relationships between a set of species of malware. Systems that construct phylogeny models are expected to be useful for malware analysts. While several different phylogeny construction systems have been proposed, little is known about effective ways of evaluating and comparing them. Little is also known about the consistency of their results on different data sets, about their generalizability across different types of malware evolution, or of what measures are important to consider in evaluation. This paper explores these issues through two distinct artificial malware history generators. A study was conducted using two phylogeny model construction systems. The results underscore the important role that model-based simulation is expected to play in evaluating and selecting suitable malware phylogeny construction systems.

In recent years, significant interest has developed around automated malware classification methods and an industry-wide naming convention. However, in the anti-virus industry, virus naming is not a uniformly standardized process and only worsens with each new malware sample. Virus naming cannot be reliable unless the virus analyst can tell if a new sample is part of an existing family in a reasonable amount of time. Previous research in automatic classification has produced several interesting classification methods; however, to our knowledge, none of the methods can deal with an entire virus collection or produce meaningful results in a reasonable amount of time. In this paper, we introduce an innovative classification system that uses an average desktop machine. The classification system compares new and unknown samples with all existing malware, and within a few minutes, returns matches for that sample based on evolutionary behaviour of existing malware. Compared to previous methods, our method is independent of the malware class and language. We describe three approximate matching algorithms and evaluate their run time and storage space requirements. We also discuss how these methods are applied in several malware-handling tasks including sample clustering, outbreak detection, automatic virus naming, and phylogeny tree. 1.

Research and development efforts have recently compared malware variants. A number of these projects have focused on identifying functions through the use of signature-based classifiers. We introduce three new classifiers that characterize a function’s use of global data. Experiments on malware show that we can meaningfully correlate functions on the basis of their global data references even when their functions share little code. We also present an algorithm that combines existing classifiers and our new ones into an ensemble for correlating functions in two binary programs. The resulting combined ensemble classifier dominates the previously reported classifiers.