Journal in Computer Virology

, Volume 2, Issue 3, pp 211–229

Hunting for metamorphic engines

Original Paper

Abstract

In this paper, we analyze several metamorphic virus generators. We define a similarity index and use it to precisely quantify the degree of metamorphism that each generator produces. Then we present a detector based on hidden Markov models and we consider a simpler detection method based on our similarity index. Both of these techniques detect all of the metamorphic viruses in our test set with extremely high accuracy. In addition, we show that popular commercial virus scanners do not detect the highly metamorphic virus variants in our test set.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arnold, W., Tesauro, G.: Automatically generated Win32 heuristic virus detection. Proceedings of the 2000 International Virus Bulletin Conference. (2000)Google Scholar
  2. 2.
    avast! Antivirus: www.avast.com/Google Scholar
  3. 3.
    AVG Anti-Virus: www.grisoft.com/doc/1Google Scholar
  4. 4.
    Brown Corpus of Standard American English: available for download at www.cs.toronto.edu/~gpenn/csc401/a1res.htmlGoogle Scholar
  5. 5.
    Cave R.L., Neuwirth L.P. (1980): Hidden Markov models for English. In: Ferguson J.D., (eds) Hidden Markov Models for Speech. IDA-CRD, PrincetonGoogle Scholar
  6. 6.
    Cygwin: cygwin.com/Google Scholar
  7. 7.
    eTrust by Computer Associates International, Inc: www3.ca.com/solutions/Solution.aspx?ID=271Google Scholar
  8. 8.
    Filiol, E., Helenius, M., Zanero, S.: Open problems in computer virology. J. Comput. Virol. 1, (3–4), (2005)Google Scholar
  9. 9.
    Gao, X.: Metamorphic software for buffer overflow mitigation. Masters Thesis, Department of Computer, San Jose State University. (2005) www.cs.sjsu.edu/ faculty/stamp/students/cs298report.docGoogle Scholar
  10. 10.
    IDA Pro Disassembler. www.datarescue.com/idabase/Google Scholar
  11. 11.
    Kephart, J., William, A.: Automatic extraction of computer virus signatures. In: Ford, R. (ed.) Proceedings of the 4th International Virus Bulletin Conference. pp. 178–184. Virus Bulletin Ltd., Abingdon (1994) www.research.ibm.com/ antivirus/SciPapers/Kephart/VB94/vb94.htmlGoogle Scholar
  12. 12.
    Krogh, A.: An introduction to hidden Markov models for biological sequences. Comput. Methods Mol. Biol., pp. 45–63. Elsevier, Amsterdam (1998)Google Scholar
  13. 13.
    Krogh A., Brown M., Mian I.S., Sjolander K., Haussler D. (1994): Hidden markov models in computational biology: applications to protein modeling. Mol, J. Biol. 235(5): 1501–1531CrossRefGoogle Scholar
  14. 14.
    Mishra, P.: A taxonomy of software uniqueness transformations. Masters Thesis, Department of Computer Science, San Jose State University (2003) www.cs.sjsu.edu/faculty/stamp/ students/FinalReport.docGoogle Scholar
  15. 15.
    Mohammed, M.: Zeroing in on metamorphic computer viruses. Masters Thesis, University of Louisiana at Lafayette (2003) www.cacs.louisiana.edu/~arun/papers/moin- mohammed-thesis-dec2003.pdfGoogle Scholar
  16. 16.
    Muttik, I.: Silicon implants. Virus Bull., 8–10 (1997)Google Scholar
  17. 17.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. In: Proceedings of the IEEE, vol. 77, no. 2, (1989) www.cs.ucsb.edu/~cs281b/ papers/HMMs%20-%20Rabiner.pdfGoogle Scholar
  18. 18.
    Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: IEEE Symposium on Security and Privacy (2001)Google Scholar
  19. 19.
    Spinellis, D.: Reliable identification of nounded-length viruses is NP-complete. IEEE Trans Inf Theory. 49(1), page 280–284 (2003)Google Scholar
  20. 20.
    Stamp, M.: Defcon 11 trip report home.earthlink.net/~ mstamp1/tripreports/defcon11.htmlGoogle Scholar
  21. 21.
    Stamp, M.: A revealing introduction to hidden Markov models. (2004) www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdfGoogle Scholar
  22. 22.
    Stamp, M.: Risks of monoculture, inside risks 165. Commun ACM. 47(3), p. 120 (2004)Google Scholar
  23. 23.
    Stamp M. (2006): Information Security: Principles and Practice. Wiley-Interscience, New YorkGoogle Scholar
  24. 24.
    Szor P. (2005): The Art of Computer Virus Research and Defense. Addison-Wesley, ReadingGoogle Scholar
  25. 25.
    Szor, P., Ferrie, P.: Hunting for metamorphic. symantec security response enterprisesecurity.symantec.com/PDF/ metamorphic.pdfGoogle Scholar
  26. 26.
    Tesauro, G., Kephart, J.O., Sorkin, G.B.: Neural networks for computer virus recognition. IEEE Expert 11(4), 5–6 (1996) www.research.ibm.com/antivirus/SciPapers/Tesauro/ NeuralNets.htmlGoogle Scholar
  27. 27.
    VX Heavens: vx.netlux.org/Google Scholar
  28. 28.
    washingtonpost.com A short history of computer viruses and attacks. (2003) www.washingtonpost.com/wp-dyn/articles/ A50636-2002Jun26.htmlGoogle Scholar
  29. 29.
    Wong, W.: Analysis and detection of metamorphic viruses. Masters Thesis. Department of Computer Science, San Jose State University. (2006) www.cs.sjsu.edu/faculty/ stamp/students/Report.pdfGoogle Scholar
  30. 30.
    Zuo, Z., Zhou, M.: On the time complexity of computer viruses. IEEE Trans Inf Theory 51(8), (2003)Google Scholar
  31. 31.
    Zombie, About permutation, documentation of RPME permutation engine. vx.netlux.org/vx.php?id=er05Google Scholar

Copyright information

© Springer-Verlag France 2006

Authors and Affiliations

  1. 1.Department of Computer ScienceSan José State UniversitySan JoséUSA

Personalised recommendations