Problem
Malware, such as viruses, worms, or spyware, is defined as software that fulfills the deliberately harmful intent of an attacker when run. Current systems to detect malicious code (such as virus scanners) are mostly based on syntactic signatures. Unfortunately, this approach necessitates frequent updates to the signature database and lacks the ability to identify malware code that mutates while reproducing or spreading across the network. In the Pathfinder project, we research techniques to obtain a more general and robust description of malicious code that is not affected by syntactic changes.
Previous Work and Project Goals
In the run-up to the project the group around the Vienna University of Technology published several papers regarding the malicious code detection and analysis and developed the malicious code analyzer TTAnalyze. This protype executes an unknown program inside a PC emulation environment and logs all relevant calls. The result of such an execution run is a report that contains information to give an impression about the purpose and the functionality of the analyzed sample. Unfortunately, its analysis is based on a single execution trace only. In the Pathfinder project, we will develop a solution that addresses the problem of test coverage. The basic idea is that we explore multiple execution paths of a program under test, but the exploration of different paths is driven by monitoring how the code uses certain inputs.
Economic Relevance
Malicious software not only poses a major threat to the security and privacy of computer users and their data. It is also responsible for a significant amount of financial loss (in 2005, the financial loss caused by malware was estimated to exceed 14 billion US dollars). Currently, anti-virus vendors have to perform malware analysis manually, a tedious and time-consuming task considering the fact that hundreds of malware sample are received every day. The Pathfinder project results can lead to the development of a novel virus scanner product that operates with behavioral profiles instead of signatures to improve the overall IT security.
Consortium
Secure Business Austria will provide the project with its malware detection knowledge and will be responsible for the project mangement. The Vienna University of Technology will bring in its aforementioned expertise in program analysis and malware detection. Members of theSecure Systems Lab have already published a number of scientific papers on novel techniques for malware detection and anlaysis. Ikarus Software will contribute its comprehensive knowledge and expertise to the Pathfinder project.