Skip to main content
SpringerLink
Log in

Hunting for metamorphic engines

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In this paper, we analyze several metamorphic virus generators. We define a similarity index and use it to precisely quantify the degree of metamorphism that each generator produces. Then we present a detector based on hidden Markov models and we consider a simpler detection method based on our similarity index. Both of these techniques detect all of the metamorphic viruses in our test set with extremely high accuracy. In addition, we show that popular commercial virus scanners do not detect the highly metamorphic virus variants in our test set.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Arnold, W., Tesauro, G.: Automatically generated Win32 heuristic virus detection. Proceedings of the 2000 International Virus Bulletin Conference. (2000)

  2. avast! Antivirus: www.avast.com/

  3. AVG Anti-Virus: www.grisoft.com/doc/1

  4. Brown Corpus of Standard American English: available for download at www.cs.toronto.edu/~gpenn/csc401/a1res.html

  5. Cave R.L., Neuwirth L.P. (1980): Hidden Markov models for English. In: Ferguson J.D., (eds) Hidden Markov Models for Speech. IDA-CRD, Princeton

    Google Scholar 

  6. Cygwin: cygwin.com/

  7. eTrust by Computer Associates International, Inc: www3.ca.com/solutions/Solution.aspx?ID=271

  8. Filiol, E., Helenius, M., Zanero, S.: Open problems in computer virology. J. Comput. Virol. 1, (3–4), (2005)

  9. Gao, X.: Metamorphic software for buffer overflow mitigation. Masters Thesis, Department of Computer, San Jose State University. (2005) www.cs.sjsu.edu/ faculty/stamp/students/cs298report.doc

  10. IDA Pro Disassembler. www.datarescue.com/idabase/

  11. Kephart, J., William, A.: Automatic extraction of computer virus signatures. In: Ford, R. (ed.) Proceedings of the 4th International Virus Bulletin Conference. pp. 178–184. Virus Bulletin Ltd., Abingdon (1994) www.research.ibm.com/ antivirus/SciPapers/Kephart/VB94/vb94.html

  12. Krogh, A.: An introduction to hidden Markov models for biological sequences. Comput. Methods Mol. Biol., pp. 45–63. Elsevier, Amsterdam (1998)

  13. Krogh A., Brown M., Mian I.S., Sjolander K., Haussler D. (1994): Hidden markov models in computational biology: applications to protein modeling. Mol, J. Biol. 235(5): 1501–1531

    Article  Google Scholar 

  14. Mishra, P.: A taxonomy of software uniqueness transformations. Masters Thesis, Department of Computer Science, San Jose State University (2003) www.cs.sjsu.edu/faculty/stamp/ students/FinalReport.doc

  15. Mohammed, M.: Zeroing in on metamorphic computer viruses. Masters Thesis, University of Louisiana at Lafayette (2003) www.cacs.louisiana.edu/~arun/papers/moin- mohammed-thesis-dec2003.pdf

  16. Muttik, I.: Silicon implants. Virus Bull., 8–10 (1997)

  17. Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. In: Proceedings of the IEEE, vol. 77, no. 2, (1989) www.cs.ucsb.edu/~cs281b/ papers/HMMs%20-%20Rabiner.pdf

  18. Schultz, M.G., Eskin, E., Zadok, E., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: IEEE Symposium on Security and Privacy (2001)

  19. Spinellis, D.: Reliable identification of nounded-length viruses is NP-complete. IEEE Trans Inf Theory. 49(1), page 280–284 (2003)

    Google Scholar 

  20. Stamp, M.: Defcon 11 trip report home.earthlink.net/~ mstamp1/tripreports/defcon11.html

  21. Stamp, M.: A revealing introduction to hidden Markov models. (2004) www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf

  22. Stamp, M.: Risks of monoculture, inside risks 165. Commun ACM. 47(3), p. 120 (2004)

    Google Scholar 

  23. Stamp M. (2006): Information Security: Principles and Practice. Wiley-Interscience, New York

    Google Scholar 

  24. Szor P. (2005): The Art of Computer Virus Research and Defense. Addison-Wesley, Reading

    Google Scholar 

  25. Szor, P., Ferrie, P.: Hunting for metamorphic. symantec security response enterprisesecurity.symantec.com/PDF/ metamorphic.pdf

  26. Tesauro, G., Kephart, J.O., Sorkin, G.B.: Neural networks for computer virus recognition. IEEE Expert 11(4), 5–6 (1996) www.research.ibm.com/antivirus/SciPapers/Tesauro/ NeuralNets.html

    Google Scholar 

  27. VX Heavens: vx.netlux.org/

  28. washingtonpost.com A short history of computer viruses and attacks. (2003) www.washingtonpost.com/wp-dyn/articles/ A50636-2002Jun26.html

  29. Wong, W.: Analysis and detection of metamorphic viruses. Masters Thesis. Department of Computer Science, San Jose State University. (2006) www.cs.sjsu.edu/faculty/ stamp/students/Report.pdf

  30. Zuo, Z., Zhou, M.: On the time complexity of computer viruses. IEEE Trans Inf Theory 51(8), (2003)

  31. Zombie, About permutation, documentation of RPME permutation engine. vx.netlux.org/vx.php?id=er05

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, San José State University, San José, CA, USA

    Wing Wong & Mark Stamp

Authors
  1. Wing Wong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Additional information

A talk based on the results in this paper was presented by the authors at Defcon 14, August 5, 2006, Las Vegas, Nevada.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wong, W., Stamp, M. Hunting for metamorphic engines. J Comput Virol 2, 211–229 (2006). https://doi.org/10.1007/s11416-006-0028-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-006-0028-7

Keywords

Search

Navigation