Approximate detection of machine-morphed variants of malicious programs

A morphing malware is malicious software that uses a code morphing program, or morphing engine, to transform its own code into a morphed variant. The goal of this transformation is to evade recognition by malware detectors. This dissertation proposes and evaluates a new method for detecting morphed malware variants. The method uses information about the morphing engine to recognize variants created by that engine. In particular, it is shown that implementation of the requirements of good design practices of morphing malware can be capitalized upon to efficiently discriminate programs generated by a morphing engine implementing these requirements from programs that have not been generated by the engine. Exact recognition techniques implementing this method are proposed and shown to be computationally costly. Approximate efficient variations on these techniques are then proposed and successfully evaluated to recognize programs generated by a real world morphing engine, W32. Evo1. Finally, the variation of a malware's instruction distribution underlying a probabilistic morphing engine is modeled as a Markov chain. Techniques from Markov chain theory are suggested to enable the use, for detection purposes, of the distribution of the instruction-frequency vectors of the various generations of variants of morphed malware generated by a probabilistic morphing engine.

[1]  Marcus A. Maloof,et al.  Learning to detect malicious executables in the wild , 2004, KDD.

[2]  Arun Lakhotia,et al.  Imposing order on program statements to assist anti-virus scanners , 2004, 11th Working Conference on Reverse Engineering.

[3]  Andrew Walenstein,et al.  Constructing malware normalizers using term rewriting , 2008, Journal in Computer Virology.

[4]  Mattia Monga,et al.  Using Code Normalization for Fighting Self-Mutating Malware , 2006, ISSSE.

[5]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[6]  Kazuo Tanaka,et al.  An Introduction to Fuzzy Logic for Practical Applications , 1996 .

[7]  Eric Filiol,et al.  Metamorphism, Formal Grammars and Undecidable Code Mutation , 2007 .

[8]  Daniel Bilar,et al.  Opcodes as predictor for malware , 2007, Int. J. Electron. Secur. Digit. Forensics.

[9]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[10]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[11]  Leonard M. Adleman,et al.  An Abstract Theory of Computer Viruses , 1988, CRYPTO.

[12]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[13]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[14]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Researchers , 2007 .

[15]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[16]  Mohamed R. Chouchane,et al.  The Design Space of Metamorphic Malware , 2007 .

[17]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[18]  Qinghua Zhang,et al.  MetaAware: Identifying Metamorphic Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[19]  Dale Schuurmans,et al.  Augmenting Naive Bayes Classifiers with Statistical Language Models , 2004, Information Retrieval.

[20]  Arun Lakhotia,et al.  CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[21]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[22]  rey O. Kephart,et al.  Automatic Extraction of Computer Virus SignaturesJe , 2006 .

[23]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.

[24]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[25]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[26]  Ke Wang,et al.  Fileprints: identifying file types by n-gram analysis , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[27]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[28]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[29]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[30]  Eric Filiol,et al.  Open Problems in Computer Virology , 2006, Journal in Computer Virology.

[31]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[32]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[33]  Guillaume Bonfante,et al.  On Abstract Computer Virology from a Recursion Theoretic Perspective , 2006, Journal in Computer Virology.

[34]  Richard L. Tweedie,et al.  Markov Chains and Stochastic Stability , 1993, Communications and Control Engineering Series.

[35]  Fiona J. TweedieNovember Using Markov Chains for Identification of Writers , 2002 .

[36]  Salvatore J. Stolfo,et al.  Towards Stealthy Malware Detection , 2007, Malware Detection.

[37]  Fred Cohen,et al.  Computational aspects of computer viruses , 1989, Comput. Secur..

[38]  Helmut Veith,et al.  Using Verification Technology to Specify and Detect Malware , 2007, EUROCAST.

[39]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[40]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[41]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[42]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[43]  Stefan Katzenbeisser,et al.  Software transformations to improve malware detection , 2007, Journal in Computer Virology.

[44]  Arun Lakhotia,et al.  A method for detecting obfuscated calls in malicious binaries , 2005, IEEE Transactions on Software Engineering.

[45]  Andrew Walenstein,et al.  Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.