Metamorphic worm that carries its own morphing engine

Metamorphic malware changes its internal structure across generations, but its functionality remains unchanged. Well-designed metamorphic malware will evade signature detection. Recent research has revealed techniques based on hidden Markov models (HMMs) for detecting many types of metamorphic malware, as well as techniques for evading such detection. A worm is a type of malware that actively spreads across a network to other host systems. In this project we design and implement a prototype metamorphic worm that carries its own morphing engine. This is challenging, since the morphing engine itself must be morphed across replications, which imposes restrictions on the structure of the worm. Our design employs previously developed techniques to evade detection. We provide test results to confirm that this worm effectively evades signature and HMM-based detection, and we consider possible detection strategies. This worm provides a concrete example that should prove useful for additional metamorphic detection research.

[1]  Eric Filiol,et al.  Metamorphism, Formal Grammars and Undecidable Code Mutation , 2007 .

[2]  Sami Khuri,et al.  ANALYSIS AND DETECTION OF METAMORPHIC COMPUTER VIRUSES , 2006 .

[3]  Andrew P. Bradley,et al.  The use of the area under the ROC curve in the evaluation of machine learning algorithms , 1997, Pattern Recognit..

[4]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[5]  Daniel Bilar,et al.  On callgraphs and generative mechanisms , 2007, Journal in Computer Virology.

[6]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[7]  Mark Stamp,et al.  Hunting for undetectable metamorphic viruses , 2011, Journal in Computer Virology.

[8]  Evgenios Konstantinou,et al.  Metamorphic Virus: Analysis and Detection , 2008 .

[9]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[10]  John Aycock Computer Viruses and Malware (Advances in Information Security) , 2006 .

[11]  Ashwini Venkatesan CODE OBFUSCATION AND VIRUS DETECTION , 2009 .

[12]  Philippe Beaucamps,et al.  Advanced Metamorphic Techniques in Computer Viruses , 2007 .

[13]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[14]  Mark Stamp,et al.  Information security - principles and practice , 2005 .

[15]  John A. Clark,et al.  Masquerade mimicry attack detection: A randomised approach , 2011, Comput. Secur..

[16]  Priti Desai Towards an Undetectable Computer Virus , 2008 .

[17]  Pavel V. Zbitskiy Code mutation techniques by means of formal grammars and automatons , 2009, Journal in Computer Virology.

[18]  Sujandharan Venkatachalam,et al.  DETECTING UNDETECTABLE COMPUTER VIRUSES , 2010 .

[19]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[20]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[21]  Radu State,et al.  Malware behaviour analysis , 2008, Journal in Computer Virology.

[22]  Mark Stamp,et al.  Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[23]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .