Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics

  • Gerardo Canfora
  • Antonio Niccolò Iannaccone
  • Corrado Aaron VisaggioEmail author
Original Paper


Metamorphic viruses are particularly insidious as they change their form at each infection, thus making detection hard. Many techniques have been proposed to produce metamorphic malware, and many approaches have been explored to detect it. This paper introduces a detection technique that relies on the assumption that a side effect of the most common metamorphic engines is the dissemination of a high number of repeated instructions in the body of the virus program. We have evaluated our technique on a population of 1,000 programs and the experimentation outcomes indicate that it is accurate in classifying metamorphic viruses and viruses of other nature, too. Virus writers use to introduce code from benign files in order to evade antivirus; our technique is able to recognize virus even if benign code is added to it.


Hide Markov Model Malicious Code Dead Code Unique Instruction Metamorphic Virus 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar
  2. 2.
    Ayock, J.: Computer Virus and Malware. Springer, Berlin (2006)Google Scholar
  3. 3.
    Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)Google Scholar
  4. 4.
    Chouchane, M., Lakhotia, A.: Using engine signature to detect metamorphic malware. In: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp 73–78 (2006)Google Scholar
  5. 5.
    Christodorescu M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Conference on USENIX Security Symposium (2003)Google Scholar
  6. 6.
    Al Daoud, E., Jebril, I.H., Zaqaibeh, B.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Math. 1(2), 12–20 (2008)Google Scholar
  7. 7.
    Al Daoud, E., Al-Shbail, A., Al-Smadi, A.M.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. UbiCC J 4(3), 628–633 (2009)Google Scholar
  8. 8.
    Al Daoud, E.: Metamorphic viruses detection using artificial immune system. In: Proceedings of ICCSN, pp 168–172 (2009)Google Scholar
  9. 9.
    Deshpande, S.: Eigenvalue analysis for metamorphic detection. Master’s Projects. Paper 279. (2012)
  10. 10.
    Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int J Comput Sci Netw Secur 11(12), 1–6 (2011)Google Scholar
  11. 11.
    Ferrie, P., Szor, P.: Zmist opportunities. Virus Bulletin, pp. 6–7 (2001)Google Scholar
  12. 12.
    Ferrie, P., Szor, P.: Hunting for Metamorphic. Symantec Security Response (2001).
  13. 13.
    Finones, R.G., Fernandez, R.T.: Solving the metamorphic puzzle. Virus Bulletin, pp. 14–19 (2006).Google Scholar
  14. 14.
    Govindaraju, A.: Exhaustive statistical analysis for detection of metamorphic malwares. Master’s project report, Department of Computer Science, San Jose State University (2010)Google Scholar
  15. 15.
    Gupta, S.: Code Obfuscation. Last visit 08/01/2012
  16. 16.
    Konstantinou, E., Wolthusen, S.: Metamorphic Virus: Analysis and Detection. Royal Holloway University of London (2008)Google Scholar
  17. 17.
    Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graph. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp 1970–1977 (2010)Google Scholar
  18. 18.
    Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–2014 (2011) Google Scholar
  19. 19.
    Lin, D.: Hunting for undetectable metamorphic viruses. Master’s projects. Paper 18. (2009)
  20. 20.
    OECD, Malicious software (malware): a security threat to the internet economy (2008)Google Scholar
  21. 21.
    Runwal, N., Low, R.M., Stamp, M.: Op-code graph similarity and metamorphic detection. J. Comput. Virol. 8: 37–52 (2012)Google Scholar
  22. 22.
    Saleh, M.E., Mohamed, A.B., Nabi, A.A.: Eigenviruses for metamorphic virus recognition. Inf. Secur. IET 5(4), 191–198 (2011)CrossRefGoogle Scholar
  23. 23.
    Schmall, M.: Heuristic Techniques in AV Solutions: An Overview. February 2002.
  24. 24.
    Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)Google Scholar
  25. 25.
    Toderici, A.H., Stamp, M.: Chi squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)Google Scholar
  26. 26.
    Symantec Security Response Team: Symantec internet security threat report. Technical Report X, Symantec Corporation (2006)Google Scholar
  27. 27.
    Szor, P.: The new 32-bit medusa. Virus Bulletin, pp. 8–10 (2000)Google Scholar
  28. 28.
    Szor, P.: The Art of Computer Virus Research and Defense, 1 edn. Addison Wesley Professional, Boston (2005)Google Scholar
  29. 29.
    Vimod, P., Laxmi, V., Kumar, P., Chundawat, Y.S.: Metamorphic virus detections through static code analysis. In: Proceedings of US Workshop and Conference on Cyber Security, Cyber Crime and Forensics (2009)Google Scholar
  30. 30.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  31. 31.
    Wong, W.: Analysis and detection of metamorphic computer viruses. Master Projects. Paper 153 (2006).
  32. 32., Last visit 08/01/2012

Copyright information

© Springer-Verlag France 2013

Authors and Affiliations

  • Gerardo Canfora
    • 1
  • Antonio Niccolò Iannaccone
    • 1
  • Corrado Aaron Visaggio
    • 1
    Email author
  1. 1.Department of EngineeringUniversità degli Studi del SannioBeneventoItaly

Personalised recommendations