Hide metadata

dc.date.accessioned2013-03-12T08:11:43Z
dc.date.available2013-09-17T22:30:18Z
dc.date.issued2008en_US
dc.date.submitted2008-06-27en_US
dc.identifier.citationMartinsen, Egil Aspevik. Detection of Junk Instructions in Computer Viruses. Masteroppgave, University of Oslo, 2008en_US
dc.identifier.urihttp://hdl.handle.net/10852/9943
dc.description.abstractThe techniques employed by viruses to avoid detection by antivirus scanners are becoming increasingly advanced. One technique commonly used by viruses to evade detection is polymorphism. The level of polymorphism in a virus indicates its ability to create different forms of itself. The use of junk instructions is a common technique to increase the level of polymorphism in a virus. Junk instructions are machine code instructions with no other function than to alter the appearance of a virus. Junk instructions do not contribute to the function of the virus, only the form. This master thesis focuses on the problem of separating junk instructions from nonjunk instructions in computer viruses. To assail the problem, a junk instruction detection (JID) framework has been developed, capable of detecting junk in viruses created for the Intel IA-32 Architecture R (x86). JID relies on the static instruction information produced by a disassembler. Static instruction information describes the static information found in an instruction: the number of input/output operands and their accesses. Because JID only depends on the static instruction information, JID can possible be ported to other processor architectures. As long as there exist a disassembler for the architecture capable of producing static instruction information, JID is portable. The results of testing JID on polymorphic viruses are promising. Tests show that JID manages to detect junk instructions found in the polymorphic virus Zmist. It is believed that JID would work as a tool to detect and remove junk instructions from future polymorphic viruses, thus reducing the time spent analysing the virus. Additionally in this thesis, the virus Zmist is analysed as a case study, and a detection algorithm devised. The detection algorithm manages to detect 100% of the polymorphic version of Zmist, although shortcomings in the disassembler algorithm reduces this number to 94%.eng
dc.language.isonoben_US
dc.titleDetection of Junk Instructions in Computer Virusesen_US
dc.typeMaster thesisen_US
dc.date.updated2009-04-06en_US
dc.creator.authorMartinsen, Egil Aspeviken_US
dc.subject.nsiVDP::420en_US
dc.identifier.bibliographiccitationinfo:ofi/fmt:kev:mtx:ctx&ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:dissertation&rft.au=Martinsen, Egil Aspevik&rft.title=Detection of Junk Instructions in Computer Viruses&rft.inst=University of Oslo&rft.date=2008&rft.degree=Masteroppgaveen_US
dc.identifier.urnURN:NBN:no-19837en_US
dc.type.documentMasteroppgaveen_US
dc.identifier.duo80894en_US
dc.contributor.supervisorLeif Nilsenen_US
dc.identifier.bibsys080973698en_US
dc.identifier.fulltextFulltext https://www.duo.uio.no/bitstream/handle/10852/9943/1/Martinsen.pdf


Files in this item

Appears in the following Collection

Hide metadata