Hunting for undetectable metamorphic viruses

Commercial anti-virus scanners are generally signature based, that is, they scan for known patterns to determine whether a file is infected. To evade signature-based detection, virus writers have employed code obfuscation techniques to create metamorphic viruses. Metamorphic viruses change their internal structure from generation to generation, which can provide an effective defense against signature-based detection. To combat metamorphic viruses, detection tools based on statistical analysis have been studied. A tool that employs hidden Markov models (HMMs) was previously developed and the results are encouraging—it has been shown that metamorphic viruses created by a reasonably strong metamorphic engine can be detected using an HMM. In this paper, we explore whether there are any exploitable weaknesses in an HMM-based detection approach. We create a highly metamorphic virus-generating tool designed specifically to evade HMM-based detection. We then test our engine, showing that we can generate metamorphic copies that cannot be detected using existing HMM-based detection techniques.

[1]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[2]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[3]  方人 计算机病毒(computer virus) , 1994 .

[4]  Sean R. Eddy,et al.  Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids , 1998 .

[5]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[6]  Mark Stamp,et al.  Information security - principles and practice , 2005 .

[7]  John Aycock Computer Viruses and Malware (Advances in Information Security) , 2006 .

[8]  Sami Khuri,et al.  ANALYSIS AND DETECTION OF METAMORPHIC COMPUTER VIRUSES , 2006 .

[9]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[10]  John Aycock,et al.  Computer Viruses and Malware , 2006, Advances in Information Security.

[11]  Marius Gheorghescu AN AUTOMATED VIRUS CLASSIFICATION SYSTEM , 2006 .

[12]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[13]  Eric Filiol,et al.  A statistical model for undecidable viral detection , 2007, Journal in Computer Virology.

[14]  Mohamed R. Chouchane,et al.  The Design Space of Metamorphic Malware , 2007 .

[15]  Belal Zaqaibeh,et al.  Computer Virus Strategies and Detection Methods , 2008 .

[16]  Priti Desai Towards an Undetectable Computer Virus , 2008 .

[17]  Ludovic Mé,et al.  Code obfuscation techniques for metamorphic viruses , 2008, Journal in Computer Virology.

[18]  Evgenios Konstantinou,et al.  Metamorphic Virus: Analysis and Detection , 2008 .

[19]  Mark Stamp,et al.  Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[20]  Pavel V. Zbitskiy Code mutation techniques by means of formal grammars and automatons , 2009, Journal in Computer Virology.

[21]  Sujandharan Venkatachalam,et al.  DETECTING UNDETECTABLE COMPUTER VIRUSES , 2010 .

[22]  Arun Lakhotia,et al.  Are Metamorphic Viruses Really Invincible? , 2022 .