Journal in Computer Virology

, Volume 5, Issue 3, pp 221–245

Detection of metamorphic and virtualization-based malware using algebraic specification

Eicar 2008 extended version

DOI: 10.1007/s11416-008-0094-0

Cite this article as:
Webster, M. & Malcolm, G. J Comput Virol (2009) 5: 221. doi:10.1007/s11416-008-0094-0


We present an overview of the latest developments in the detection of metamorphic and virtualization-based malware using an algebraic specification of the Intel 64 assembly programming language. After giving an overview of related work, we describe the development of a specification of a subset of the Intel 64 instruction set in Maude, an advanced formal algebraic specification tool. We develop the technique of metamorphic malware detection based on equivalence-in-context so that it is applicable to imperative programming languages in general, and we give two detailed examples of how this might be used in a practical setting to detect metamorphic malware. We discuss the application of these techniques within anti-virus software, and give a proof-of-concept system for defeating detection counter-measures used by virtualization-based malware, which is based on our Maude specification of Intel 64. Finally, we compare formal and informal approaches to malware detection, and give some directions for future research.

Copyright information

© Springer-Verlag France 2008

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of LiverpoolLiverpoolUK

Personalised recommendations