Department of Computer Science, University of Virginia
If you are looking for Prof. Evans's seminar site, it is still available at seminar.html.
A large class of viruses known as file infectors spread by copying themselves into users' files. To do this successfully, viruses must change file attributes contained in the header located at the beginning of the file. We created two rules to describe this behavior:
The Update-Header rule describes a virus reading and then writing to the header of a file. The Blind-Modify rule describes a virus changing (without reading) the contents of a pre-existing executable file header. The Update-Header rule is more precise, but the Blind-Modify rule may catch more viruses.
We tested each rule against 21 randomly chosen viruses, with each virus potentially infecting 1 to many files. We then tested for false positives against the normal behavior of 8 users.
Malicious software often performs behavior that cannot be generalized so widely. Behavioral signatures that are tailored to an individual virus or virus family can be used for this task. The following example shows the characteristic activity of W32/Sality.L (a keylogging, polymorphic, file-infecting worm with its own SMTP engine):
(orig) and (drop) are variables representing file names. This signature additionally captures the later variants Sality.M, Sality.O, and SalityQ as well as polymorphic generations.
This work is supported by the National Science Foundation Cyber Trust Program ("Disk-Level Malware Detection and Response," NSF 0627527).