MEDUSA: MEtamorphic malware dynamic analysis usingsignature from API

Malware detection and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. The traditional signature based detection of malware fails for metamorphic malware which changes its code structurally while maintaining functionality at time of propagation. This category of malware is called metamorphic malware. In this paper we dynamically analyze the executables produced from various metamorphic generators through an emulator by tracing API calls. A signature is generated for an entire malware class (each class representing a family of viruses generated from one metamorphic generator) instead of for individual malware sample. We show that most of the metamorphic viruses of same family are detected by the same base signature. Once a base signature for a particular metamorphic generator is generated, all the metamorphic viruses created from that tool are easily detected by the proposed method. A Proximity Index between the various Metamorphic generators has been proposed to determine how similar two or more generators are.

[1]  Bezawada Bruhadeshwar,et al.  Signature Generation and Detection of Malware Families , 2008, ACISP.

[2]  Keith Marzullo,et al.  Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[3]  Shou-Hsuan Stephen Huang,et al.  User Behavior Analysis in Masquerade Detection Using Principal Component Analysis , 2008, 2008 Eighth International Conference on Intelligent Systems Design and Applications.

[4]  Hung-Min Sun,et al.  API Monitoring System for Defeating Worms and Exploits in MS-Windows System , 2006, ACISP.

[5]  Somesh Jha,et al.  Mining specifications of malicious behavior , 2008, ISEC '08.

[6]  Lipo Wang,et al.  Fuzzy Systems and Knowledge Discovery, Second International Conference, FSKD 2005, Changsha, China, August 27-29, 2005, Proceedings, Part I , 2005, FSKD.

[7]  F. James Rohlf,et al.  Biometry: The Principles and Practice of Statistics in Biological Research , 1969 .

[8]  Mourad Debbabi,et al.  Static analysis of binary code to isolate malicious behaviors , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[9]  Mark Stamp,et al.  Hunting for metamorphic engines , 2006, Journal in Computer Virology.

[10]  Qinghua Zhang,et al.  MetaAware: Identifying Metamorphic Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[11]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.