Using engine signature to detect metamorphic malware

This paper introduces the "engine signature" approach to assist in detecting metamorphic malware by tracking it to its engine. More specifically, it presents and evaluates a code scoring technique for collecting forensic evidence from x86 code segments in order to get some measure of how likely they are to have been generated by some known instruction-substituting metamorphic engine. A prototype simulator that mimics real instruction-substituting metamorphic engines was implemented and used to conduct several experiments that evaluate the goodness of the scoring technique for given engine parameters. The technique was also used to successfully help track variants of W32.Evol to their engine.

[1]  Mattia Monga,et al.  Using Code Normalization for Fighting Self-Mutating Malware , 2006, ISSSE.

[2]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[3]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Fred Cohen,et al.  Computational aspects of computer viruses , 1989, Comput. Secur..

[5]  Eugene H. Spafford,et al.  Authorship analysis: identifying the author of a program , 1997, Comput. Secur..

[6]  Andrew Walenstein,et al.  Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.

[7]  Andrew Walenstein,et al.  Normalizing Metamorphic Malware Using Term Rewriting , 2006, 2006 Sixth IEEE International Workshop on Source Code Analysis and Manipulation.

[8]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[9]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[10]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.