You are given the task of detecting the occurrences of a polymorphic virus that conceals itself as follows. The body, C, of the virus code is obfuscated by XORing it with a byte sequence, T, derived from a six-byte secret key, K, that changes from instance to instance of the virus in a random way. The sequence T is derived by merely repeating over and over the given key K. The length of the body
of the virus code is a multiple of six—padding is added otherwise. Thus, the obfuscated body is T ? C, where T = K||K|| · · · and || denotes string concatenation. The virus inserts itself to the infected program at an unpredictable location. @par An infected file contains a loader that reads the key K, unhides the body C of the virus code by XORing the obfuscated version with the sequence T (derived from K), and finally launches C. The loader code, key K, and the obfuscated body are inserted at random positions of infected programs.
At some point of the execution of the infected program, the loader gets called, which unhides the virus and then executes it. Assume that you have obtained the body C of the virus code and a set of programs that are suspected to be infected. You want to detect the occurrences of this virus among the suspected programs without having to actually emulate the execution of the programs. Give an algorithm to do this in polynomial time in the length of the program. Assume that the loader of the virus is a short piece of code that can be commonly found in legitimate programs. Therefore, it cannot be used as a signature of our virus. Hence, looking for the loader is not an acceptable solution. Remember, the loader is in binary, and as such, extracting information from it is nontrivial, i.e., wrong.
Take the virus code C and xor repeated copies of it with the body of the
program, offset by various amounts. One of these will line up with the virus code in the
program, in which case xoring C with itself in this location will reveal the repeated pattern
of the key K. So all that is needed is to find the offset that reveals a six-byte key that is
repeated for the length of C.
You might also like to view...
The __________ function will change a character argument from lowercase to uppercase.
a. isupper b. toupper c. tolarge d. fromlower e. None of these
Information about the ____ of the target audience tells you what colors, symbols, fashions, styles, and so forth will be effective in communicating with the target audience.
A. Internet connection B. interests C. culture and customs D. spending habits
To navigate from one comment to another comment, click Next or __________.
Fill in the blank(s) with the appropriate word(s).
To call a function in response to a user action, a developer creates a(n) object listener. _________________________
Answer the following statement true (T) or false (F)