Principles and practise of x-raying

Frédéric Perriot Symantec
Peter Ferrie Symantec

X-raying designates a virus detection method relying on a known-plaintext attack on the virus body. Far from being a new technique, x-raying has been used since the DOS days of yore to detect encrypted or polymorphic viruses without having to emulate their decryption code. As Entry-Point Obscuring viruses surfaced, another advantage of x-raying became obvious, namely the ability to detect an infection without the - sometimes prohibitive - cost of locating the decryption code in the infected object.

In this paper we examine conventional approaches to x-raying and present our own improvements and additions to the traditional methods. We also describe precise applications of x-raying to the detection of several recent polymorphic Win32 viruses. Finally, we discuss the potential and limits of x-raying when faced with complex polymorphic viruses employing multiple encryption layers or metamorphism.

Quick Links

Poll

When do you install software updates?
As soon as they are released
As soon as I have some time
I take my time, but I always install them eventually
Only when I feel it is absolutely necessary
Never
Leave a comment
View 12 comments
Jobs Career Sidebar
Twitter Feed

virusbtn: More about ARF (see http://bit.ly/9PuKiO) at ReturnPath http://bit.ly/9podhx
12 hours ago

virusbtn: September VB issue: LNK files, anti-unpacker, sender authentication, VBSpam review and more http://bit.ly/987AOC
1 day ago

Virus Bulletin

In this month's magazine:
  • VB100 – Windows Vista Business Edition Service Pack 2
  • Apple pie order?
  • Anti-unpacker tricks – part eleven
  • Advanced exploit framework lab set-up
  • HTML structure-based proactive phishing detection
  • What’s the deal with sender authentication? Part 3
Virus Bulletin 08 2010
Subscribe now!
Virus Bulletin currently has 208,729 registered users.