Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.

In this paper, we present the design of a metamorphic engine representing a type of hurdle that antivirus systems need to get over in their ght against malware. First we describe the two steps of the en- gine replication process : obfuscation and modeling. Then, we apply this engine to a real worm to evaluate current antivirus products detection ca- pacities. This assessment leads to a classication of detection tools, based on their observable behavior, in two main categories: the rst one, rely- ing on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of dynamic detection programs, focuses only on elementary suspicious actions. Consequently, no products appear to reliably detect the candidate malware after appli- cation of the metamorphic engine. Through this evaluation of antivirus products, we hope to help defenders understand and defend against the threat represented by this class of malware.

[1]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[2]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[3]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[5]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[6]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[7]  Benjamin Morin,et al.  Intrusion detection and virology: an analysis of differences, similarities and complementariness , 2007, Journal in Computer Virology.

[8]  Noam Chomsky,et al.  Three models for the description of language , 1956, IRE Trans. Inf. Theory.

[9]  Noam Chomsky,et al.  On Certain Formal Properties of Grammars , 1959, Inf. Control..

[10]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[11]  Eric Filiol,et al.  Behavioral detection of malware: from a survey towards an established taxonomy , 2008, Journal in Computer Virology.

[12]  Eric Filiol,et al.  Metamorphism, Formal Grammars and Undecidable Code Mutation , 2007 .

[13]  Eric Filiol,et al.  Functional polymorphic engines: formalisation, implementation and use cases , 2008, Journal in Computer Virology.

[14]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[15]  Guillaume Bonfante,et al.  Architecture of a morphological malware detector , 2009, Journal in Computer Virology.

[16]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[17]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[18]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.