Skip to main content
SpringerLink
Log in

Hunting for undetectable metamorphic viruses

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Commercial anti-virus scanners are generally signature based, that is, they scan for known patterns to determine whether a file is infected. To evade signature-based detection, virus writers have employed code obfuscation techniques to create metamorphic viruses. Metamorphic viruses change their internal structure from generation to generation, which can provide an effective defense against signature-based detection. To combat metamorphic viruses, detection tools based on statistical analysis have been studied. A tool that employs hidden Markov models (HMMs) was previously developed and the results are encouraging—it has been shown that metamorphic viruses created by a reasonably strong metamorphic engine can be detected using an HMM. In this paper, we explore whether there are any exploitable weaknesses in an HMM-based detection approach. We create a highly metamorphic virus-generating tool designed specifically to evade HMM-based detection. We then test our engine, showing that we can generate metamorphic copies that cannot be detected using existing HMM-based detection techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Attaluri S., McGhee S., Stamp M.: Profile hidden Markov models and metamorphic virus detection. J. Comput. Virol. 5(2), 151–169 (2009)

    Article  Google Scholar 

  2. Aycock J.: Computer Viruses and Malware. Springer, Berlin (2006)

    Google Scholar 

  3. Bailey, M. et al.: Automated Classification and Analysis of Internet Malware, RAID 2007, LNCS 4637, pp. 178–197. Springer, Berlin (2007)

  4. Caillat, B.A., Desnos, Erra, R.: BinThavro: Towards a Useful and Fast Tool for Goodware and Malware Analysis, ECIW (2010)

  5. Cohen F.: Computer viruses: theory and experiments. Comput. Secur. 6(1), 22–35 (1987)

    Article  Google Scholar 

  6. Daoud, E., Jebril, I.: Computer virus strategies and detection methods. Int. J. Open Problems Comput. Math. 1(2). (2008). http://www.emis.de/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.08).pdf

  7. Desai, P.: Towards an undetectable computer virus. Master’s report, Departent of Computer Science, San Jose State University. (2008). http://www.cs.sjsu.edu/faculty/stamp/students/Desai_Priti.pdf

  8. Durbin R. et al.: Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, Cambridge (1999)

    Google Scholar 

  9. FASM. http://flatassembler.net/

  10. Filiol E., Josse S.: A statistical model for undecidable viral detection. J. Comput. Virol. 3(2), 65–74 (2007)

    Article  Google Scholar 

  11. Gheorghescu, M.: An automated virus classification system. In: Virus Bulletin Conference (2005)

  12. Gueguen, G., Filiol, E.: New threat grammars, IAWACS (2010)

  13. IDA Pro. http://www.hex-rays.com/idapro/

  14. Lin, D.: Hunting for undetectable metamorphic viruses. Master’s report, Department of Computer Science, San Jose State University (2010)

  15. Mishra, P., Stamp, M.: Software uniqueness: how and why. In: Dey, P.P., Amin, M.N., Gatton, T.M. (eds.): Proceedings of Conference on Computer Science and its Applications. San Diego, July 2003. http://www.cs.sjsu.edu/~stamp/cv/papers/iccsaPuneet.doc

  16. Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2) (1989)

  17. Stamp, M.: A revealing introduction to hidden Markov models, January 2004. http://www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf

  18. Stamp M.: Information Security: Principles and Practice. Wiley, New York (2005)

    Book  Google Scholar 

  19. Szor, P., Ferrie, P.: Hunting for Metamorphic. Symantec Press, Cupertino. (2005). http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

  20. Venkatachalam, S.: Detecting undetectable computer viruses. Master’s report, Department of Computer Science, San Jose State University (2010). http://www.cs.sjsu.edu/faculty/stamp/students/venkatachalam_sujandharan.pdf

  21. Walenstein, A., et al: The design space of metamorphic malware. In: Proceedings of the 2nd International Conference on Information Warfare, March 2007

  22. Wong W., Stamp M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  23. Zbitskiy P.: Code mutation techniques by means of formal grammars and automatons. J. Comput. Virol. 5(3), 199–207 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cisco Systems, Inc., San Jose, CA, USA

    Da Lin

  2. Department of Computer Science, San Jose State University, San Jose, USA

    Mark Stamp

Authors
  1. Da Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Stamp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lin, D., Stamp, M. Hunting for undetectable metamorphic viruses. J Comput Virol 7, 201–214 (2011). https://doi.org/10.1007/s11416-010-0148-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-010-0148-y

Keywords

Search

Navigation