In order to make lots of new malwares fast and cheaply, attacker can simply modify the existing malwares based on their binary files to produce new ones, malware variants. Malware variants refer to all the new malwares manually or automatically produced from any existing malware. However, such simple approach to produce malwares can change signatures of the original malware so that the new malware variants can confuse and bypass most of popular signature-based anti-malware tools. In this paper we propose a novel byte frequency based detecting model (BFBDM) to deal with the malware variants identification issue. The byte frequency of software refers to the frequency of the different unsigned bytes in the corresponding binary file. In order to implement BFBDM, two metrics, the distance and the similarity between the suspicious software and base sample, a known malware, are defined and calculated. According to the experimental results, we found out that if the distance is low and the similarity is high, the suspicious software is a variant of the selected malware with very high probability. The primary experimental results show that our model is efficient and effective for the identification of malware variants, especially for the manual variant.
[1]
Christopher Krügel,et al.
Polymorphic Worm Detection Using Structural Information of Executables
,
2005,
RAID.
[2]
Somesh Jha,et al.
Semantics-aware malware detection
,
2005,
2005 IEEE Symposium on Security and Privacy (S&P'05).
[3]
Robert Lyda,et al.
Using Entropy Analysis to Find Encrypted and Packed Malware
,
2007,
IEEE Security & Privacy.
[4]
Gran Vía,et al.
GRAPHS, ENTROPY AND GRID COMPUTING: AUTOMATIC COMPARISON OF MALWARE
,
2008
.
[5]
Somesh Jha,et al.
Static Analysis of Executables to Detect Malicious Patterns
,
2003,
USENIX Security Symposium.
[6]
Christopher Krügel,et al.
Behavior-based Spyware Detection
,
2006,
USENIX Security Symposium.
[7]
Peter Szor,et al.
The Art of Computer Virus Research and Defense
,
2005
.
[8]
Somesh Jha,et al.
A semantics-based approach to malware detection
,
2007,
POPL '07.