Metamorphic Virus Variants Classification Using Opcode Frequency Histogram

In order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus softwares, metamorphic viruses use several various obfuscation approaches. They transform their code in new instances as look entirely or partly different and contain dissimilar sequences of string, but their behavior and function remain unchanged. This obfuscation process allows them to stay away from the string based signature detection. In this research, we use a statistical technique to compare the similarity between two files infected by two morphed versions of a given metamorphic virus. Our proposed solution based on static analysis and it uses the histogram of machine instructions frequency in various offspring of obfuscated viruses. We use Euclidean histogram distance metric to compare a pair of portable executable (PE) files. The aim of this study is to show that for some particular obfuscation methods, the presented solution can be exploited to detect morphed varieties of a file. Hence, it can be utilized by non-string based signature scanning to identify whether a file is a version of a metamorphic virus or not.

[1]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[2]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2008, TOPL.

[3]  Evgenios Konstantinou,et al.  Metamorphic Virus: Analysis and Detection , 2008 .

[4]  Ratan K. Guha,et al.  Detecting Obfuscated Viruses Using Cosine Similarity Analysis , 2007, First Asia International Conference on Modelling & Simulation (AMS'07).

[5]  Guillaume Bonfante,et al.  Control Flow Graphs as Malware Signatures , 2007 .

[6]  Shih-Fu Chang,et al.  Integrated spatial and feature image query , 1999, Multimedia Systems.

[7]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[8]  Grant Malcolm,et al.  Detection of metamorphic computer viruses using algebraic specification , 2006, Journal in Computer Virology.

[9]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[10]  Belal Zaqaibeh,et al.  Computer Virus Strategies and Detection Methods , 2008 .

[11]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[12]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.