Limitations of Current Anti-Virus Scanning Technologies

Abstract

Malware has become more lethal by using multiple attack vectors to exploit both known and unknown vulnerabilities and can attack prescanned targets with lightning speed. In the future, it is important that the scanners are capable of detecting polymoraphic (obfuscated or variant) and metamorphic (mutated or evolved) versions of malware, however current scanning techniques for malware detection have serious limitations. Simple software obfuscation a general technique that is used to protect the software from reverse engineering techniques can circumvent the current detection mechanisms (anti-virus tools). In this chapter, we describe common attacks on anti-virus tools and a few obfuscation techniques applied to recent viruses that were used to thwart commercial grade anti-virus tools. Similarities among different malware and their variants are also presented in this chapter. The signature used in this method is the percentage of application programming interface (APIs) appearing in the malware type. The hypothesis is that mutants and variants will not stray far from the original. Table 5 shows serious limitations of commercial grade anti-virus scanners in detecting simple obfuscation attacks. Table 6 shows the percentages of similarity of a particular malware when compared to others. One important thing to note is that even the polymorphic ZMist uses the same set of APIs on all three variants.