Principles and practise of x-raying

Frédéric Perriot Symantec
Peter Ferrie Symantec

X-raying designates a virus detection method relying on a known-plaintext attack on the virus body. Far from being a new technique, x-raying has been used since the DOS days of yore to detect encrypted or polymorphic viruses without having to emulate their decryption code. As Entry-Point Obscuring viruses surfaced, another advantage of x-raying became obvious, namely the ability to detect an infection without the - sometimes prohibitive - cost of locating the decryption code in the infected object.

In this paper we examine conventional approaches to x-raying and present our own improvements and additions to the traditional methods. We also describe precise applications of x-raying to the detection of several recent polymorphic Win32 viruses. Finally, we discuss the potential and limits of x-raying when faced with complex polymorphic viruses employing multiple encryption layers or metamorphism.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘I want to express my appreciation for such a wonderful conference that the VB team puts together for the AV industry. I have attended many conferences in the past, but there is nothing that is comparable to both the content and the venue of VB2007.’