Skip to main content
SpringerLink
Log in

Metamorphic worm that carries its own morphing engine

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Metamorphic malware changes its internal structure across generations, but its functionality remains unchanged. Well-designed metamorphic malware will evade signature detection. Recent research has revealed techniques based on hidden Markov models (HMMs) for detecting many types of metamorphic malware, as well as techniques for evading such detection. A worm is a type of malware that actively spreads across a network to other host systems. In this project we design and implement a prototype metamorphic worm that carries its own morphing engine. This is challenging, since the morphing engine itself must be morphed across replications, which imposes restrictions on the structure of the worm. Our design employs previously developed techniques to evade detection. We provide test results to confirm that this worm effectively evades signature and HMM-based detection, and we consider possible detection strategies. This worm provides a concrete example that should prove useful for additional metamorphic detection research.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)

    Article  Google Scholar 

  2. Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)

    Article  Google Scholar 

  3. Aycock, J.: Computer Viruses and Malware (Advances in Information Security). Springer, Berlin (2006)

    Google Scholar 

  4. Beaucamps, P.: Advanced metamorphic techniques in computer viruses. In: International Conference on Computer, Electrical, and Systems Science, and Engineering–CESSE ’07, Venice, Italy (2007)

  5. Bilar, D.: On callgraphs and generative mechanisms. J. Comput. Virol. 3(4), 285–297 (2007)

    Article  MathSciNet  Google Scholar 

  6. Bilar, D.: On callgraphs and generative mechanisms, erratum. J. Comput. Virol. 3(4), 299–310 (2007)

    Article  MathSciNet  Google Scholar 

  7. Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  8. Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)

    Article  Google Scholar 

  9. Desai, P.: Towards an undetectable computer virus (2008). Master’s Projects. Paper 90. http://scholarworks.sjsu.edu/etd_projects/90

  10. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)

    Google Scholar 

  11. Konstantinou, E., Wolthusen, S.: Metamorphic virus: analysis and detection. Technical Report RHUL-MA-2008-02, Department of Mathematics, Royal Holloway, University of London (2008)

  12. Lin, D.: Hunting for undetectable metamorphic viruses. Master’s Projects. Paper 18 (2009). http://scholarworks.sjsu.edu/etd_projects/18

  13. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)

    Article  Google Scholar 

  14. Madenur Sridhara, S.: Metamorphic worm that carries its own morphing engine (2012). Master’s Projects. Paper 240. http://scholarworks.sjsu.edu/etd_projects/240

  15. The Mental Driller: Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt” (2002). http://biblio.l0t3k.net/magazine/en/29a/

  16. Miller, F., Vandome, A.: Gnu Binutils. Alphascript Publishing (2010)

  17. Mishra, P.: Taxonomy of uniqueness transformations. Master’s Report, Department of Computer Science, San Jose State University (2003). http://www.cs.sjsu.edu/faculty/stamp/students/FinalReport.doc

  18. Opdis. libopcodes-based disassembler (2010). http://mkfs.github.com/content/opdis/

  19. Orr, The molecular virology of Lexotan32: Metamorphism illustrated (2007). http://www.openrce.org/articles/full_view/29

  20. Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)

    Article  Google Scholar 

  21. Snakebyte. Next Generation Virus Construction Kit (NGVCK) (2000). http://vx.netlux.org/vx.php?id=tn02

  22. Stamp, M.: Information Security: Principles and Practice. Wiley, New York (2011)

    Book  Google Scholar 

  23. Stamp, M.: A revealing introduction to hidden markov models (2012). http://www.cs.sjsu.edu/stamp/RUA/HMM.pdf

  24. Tapiador, J., Clark, J.: Masquerade mimicry attack detection: a randomised approach. J. Comput. Virol. 30(5), 297–310 (2011)

    Google Scholar 

  25. Venkatachalam, S.: Detecting undetectable computer viruses. Master’s Projects. Paper 156 (2010). http://scholarworks.sjsu.edu/etd_projects/156

  26. Venkatesan, A.: Code obfuscation and virus detection. Master’s Projects. Paper 116 (2008). http://scholarworks.sjsu.edu/etd_projects/116

  27. Wong, W.: Analysis and detection of metamorphic computer viruses. Master’s Projects. Paper 153 (2006). http://scholarworks.sjsu.edu/etd_projects/153

  28. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  29. Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San Jose State University, San Jose, CA, USA

    Sudarshan Madenur Sridhara & Mark Stamp

Authors
  1. Sudarshan Madenur Sridhara
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Madenur Sridhara, S., Stamp, M. Metamorphic worm that carries its own morphing engine. J Comput Virol Hack Tech 9, 49–58 (2013). https://doi.org/10.1007/s11416-012-0174-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0174-z

Keywords

Search

Navigation