Feature Omission Vulnerabilities: Thwarting Signature Generation for
Polymorphic Worms

Matthew Van Gundy, Hao Chen, Zhendong Su, and Giovanni Vigna.

To combat the rapid infection rate of today's Internet worms,
signatures for novel worms must be generated soon after an outbreak.
This is especially critical in the case of polymorphic worms, whose
binary representation changes frequently during the infection process.

In this paper, we examine the assumptions underlying two leading
network-based signature generation systems for polymorphic worms:
Polygraph and Hamsa.  By identifying an assumption of both systems not
met by all vulnerabilities, we discover a class of vulnerabilities
(feature omission vulnerabilities) that neither system can accurately
characterize.  We demonstrate the limitations of Polygraph and Hamsa
by testing the signatures that they generate for exploits targeting a
feature omission vulnerability.  We discuss why feature omission
vulnerabilities are difficult to characterize and how increased
semantic awareness can help the signature generation process.