Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation. - CentraleSupélec Accéder directement au contenu
Communication Dans Un Congrès Année : 2009

Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.

Jean-Marie Borello
  • Fonction : Auteur
Ludovic Mé
  • Fonction : Auteur
  • PersonId : 4609
  • IdHAL : lme
  • IdRef : 075014459

Résumé

In this paper, we present the design of a metamorphic engine representing a type of hurdle that antivirus systems need to get over in their ght against malware. First we describe the two steps of the en- gine replication process : obfuscation and modeling. Then, we apply this engine to a real worm to evaluate current antivirus products detection ca- pacities. This assessment leads to a classication of detection tools, based on their observable behavior, in two main categories: the rst one, rely- ing on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of dynamic detection programs, focuses only on elementary suspicious actions. Consequently, no products appear to reliably detect the candidate malware after appli- cation of the metamorphic engine. Through this evaluation of antivirus products, we hope to help defenders understand and defend against the threat represented by this class of malware.
Fichier non déposé

Dates et versions

hal-00441581 , version 1 (16-12-2009)

Identifiants

  • HAL Id : hal-00441581 , version 1

Citer

Jean-Marie Borello, Eric Filiol, Ludovic Mé. Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.. 18th EICAR Annual Conference, May 2009, France. 19 p. ⟨hal-00441581⟩
86 Consultations
0 Téléchargements

Partager

Gmail Facebook X LinkedIn More