Metamorphic worm that carries its own morphing engine

Original Paper

Abstract

Metamorphic malware changes its internal structure across generations, but its functionality remains unchanged. Well-designed metamorphic malware will evade signature detection. Recent research has revealed techniques based on hidden Markov models (HMMs) for detecting many types of metamorphic malware, as well as techniques for evading such detection. A worm is a type of malware that actively spreads across a network to other host systems. In this project we design and implement a prototype metamorphic worm that carries its own morphing engine. This is challenging, since the morphing engine itself must be morphed across replications, which imposes restrictions on the structure of the worm. Our design employs previously developed techniques to evade detection. We provide test results to confirm that this worm effectively evades signature and HMM-based detection, and we consider possible detection strategies. This worm provides a concrete example that should prove useful for additional metamorphic detection research.

References

  1. 1.
    Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar
  2. 2.
    Attaluri, S., McGhee, S., Stamp, M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)CrossRefGoogle Scholar
  3. 3.
    Aycock, J.: Computer Viruses and Malware (Advances in Information Security). Springer, Berlin (2006)Google Scholar
  4. 4.
    Beaucamps, P.: Advanced metamorphic techniques in computer viruses. In: International Conference on Computer, Electrical, and Systems Science, and Engineering–CESSE ’07, Venice, Italy (2007)Google Scholar
  5. 5.
    Bilar, D.: On callgraphs and generative mechanisms. J. Comput. Virol. 3(4), 285–297 (2007)CrossRefMathSciNetGoogle Scholar
  6. 6.
    Bilar, D.: On callgraphs and generative mechanisms, erratum. J. Comput. Virol. 3(4), 299–310 (2007)CrossRefMathSciNetGoogle Scholar
  7. 7.
    Borello, J., Me, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)CrossRefGoogle Scholar
  8. 8.
    Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30, 1145–1159 (1997)CrossRefGoogle Scholar
  9. 9.
    Desai, P.: Towards an undetectable computer virus (2008). Master’s Projects. Paper 90. http://scholarworks.sjsu.edu/etd_projects/90
  10. 10.
    Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)Google Scholar
  11. 11.
    Konstantinou, E., Wolthusen, S.: Metamorphic virus: analysis and detection. Technical Report RHUL-MA-2008-02, Department of Mathematics, Royal Holloway, University of London (2008)Google Scholar
  12. 12.
    Lin, D.: Hunting for undetectable metamorphic viruses. Master’s Projects. Paper 18 (2009). http://scholarworks.sjsu.edu/etd_projects/18
  13. 13.
    Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2011)CrossRefGoogle Scholar
  14. 14.
    Madenur Sridhara, S.: Metamorphic worm that carries its own morphing engine (2012). Master’s Projects. Paper 240. http://scholarworks.sjsu.edu/etd_projects/240
  15. 15.
    The Mental Driller: Metamorphism in practice or “How I made MetaPHOR and what I’ve learnt” (2002). http://biblio.l0t3k.net/magazine/en/29a/
  16. 16.
    Miller, F., Vandome, A.: Gnu Binutils. Alphascript Publishing (2010)Google Scholar
  17. 17.
    Mishra, P.: Taxonomy of uniqueness transformations. Master’s Report, Department of Computer Science, San Jose State University (2003). http://www.cs.sjsu.edu/faculty/stamp/students/FinalReport.doc
  18. 18.
    Opdis. libopcodes-based disassembler (2010). http://mkfs.github.com/content/opdis/
  19. 19.
    Orr, The molecular virology of Lexotan32: Metamorphism illustrated (2007). http://www.openrce.org/articles/full_view/29
  20. 20.
    Runwal, N., Low, R.M., Stamp, M.: Opcode graph similarity and metamorphic detection. J. Comput. Virol. 8(1–2), 37–52 (2012)CrossRefGoogle Scholar
  21. 21.
    Snakebyte. Next Generation Virus Construction Kit (NGVCK) (2000). http://vx.netlux.org/vx.php?id=tn02
  22. 22.
    Stamp, M.: Information Security: Principles and Practice. Wiley, New York (2011)CrossRefGoogle Scholar
  23. 23.
    Stamp, M.: A revealing introduction to hidden markov models (2012). http://www.cs.sjsu.edu/stamp/RUA/HMM.pdf
  24. 24.
    Tapiador, J., Clark, J.: Masquerade mimicry attack detection: a randomised approach. J. Comput. Virol. 30(5), 297–310 (2011)Google Scholar
  25. 25.
    Venkatachalam, S.: Detecting undetectable computer viruses. Master’s Projects. Paper 156 (2010). http://scholarworks.sjsu.edu/etd_projects/156
  26. 26.
    Venkatesan, A.: Code obfuscation and virus detection. Master’s Projects. Paper 116 (2008). http://scholarworks.sjsu.edu/etd_projects/116
  27. 27.
    Wong, W.: Analysis and detection of metamorphic computer viruses. Master’s Projects. Paper 153 (2006). http://scholarworks.sjsu.edu/etd_projects/153
  28. 28.
    Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)CrossRefGoogle Scholar
  29. 29.
    Zbitskiy, P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France 2012

Authors and Affiliations

  1. 1.Department of Computer ScienceSan Jose State UniversitySan JoseUSA

Personalised recommendations