Morphing engines or mutation engines are exploited by metamorphic virus to change the code appearance in every new generation. The purpose of these engines is to escape from the signature-based scanner, which employs a unique string signature to detect the virus. Although the obfuscation techniques try to convert the binary sequence of the code, in some techniques, the statistical feature of the code binaries will be still remain unchanged, relatively. Accordingly, this feature can be utilized to classify the engine and detect the morphed virus code. In this article, we are going to introduce a new idea to classify the obfuscation engines based on their code statistical feature using the histogram comparison. Keywords-component: Computer Virus, Malware Morphing Engines, Obfuscation Engines, Mutation Engine, Metamorphic Virus, Code Histogram, Histogram Comparison I. INTRODUCTION The purpose of code obfuscation techniques is to make program codes more complicated to be comprehensible by a static analysis (1-2). To achieve this purpose, the obfuscation engine transforms the program code to another dissimilar edition, but keeps the behavior of the different versions equivalent (3). This skill can be used to protect the software from tampering or being visible for hackers, however it is widely being utilized by virus writers to make their virus armored against the antivirus experts (4). Metamorphic viruses try to convert their code into new versions with dissimilar byte sequences, by means of obfuscation techniques. Therefore, traditional string signature- based scanners are not efficiently able to detect and classify the new instances. In this study, we aim to propose a relatively novel idea to deal with metamorphic engine, which emphasizes on a statistical feature of the code, the histogram of the code bytes. Here, we are going to show that this new approach is applicable for classification of the obfuscation engines. This solution can be developed and improved in the future to be more reliable and effectual and be used in the antivirus scanners. In next section, we review the recent attempts on this problem and most related methodologies and experiments. Then we present our proposed solution and explain its novelty. In the next part, we illustrate the methodology and implementation process, and in the final section, we give the summary and some recommendations for the future developments.
[1]
Ludovic Mé,et al.
Code obfuscation techniques for metamorphic viruses
,
2008,
Journal in Computer Virology.
[2]
Kangbin Yim,et al.
Malware Obfuscation Techniques: A Brief Survey
,
2010,
2010 International Conference on Broadband, Wireless Computing, Communication and Applications.
[3]
Mark Stamp,et al.
Practical Detection of Metamorphic Computer Viruses
,
2008
.
[4]
Mattia Monga,et al.
Code Normalization for Self-Mutating Malware
,
2007,
IEEE Security & Privacy.
[5]
Peter Szor,et al.
The Art of Computer Virus Research and Defense
,
2005
.
[6]
Suhaimi Ibrahim,et al.
Evolution of Computer Virus Concealment and Anti-Virus Techniques: A Short Survey
,
2011,
ArXiv.
[7]
Ratan K. Guha,et al.
Detecting Obfuscated Viruses Using Cosine Similarity Analysis
,
2007,
First Asia International Conference on Modelling & Simulation (AMS'07).
[8]
Trevor Darrell,et al.
Nearest-Neighbor Methods in Learning and Vision: Theory and Practice (Neural Information Processing)
,
2006
.
[9]
Yousaf Bin Zikria,et al.
Evading Virus Detection Using Code Obfuscation
,
2010,
FGIT.
[10]
Mark Stamp,et al.
Hunting for metamorphic engines
,
2006,
Journal in Computer Virology.
[11]
Mark Stamp,et al.
Hunting for undetectable metamorphic viruses
,
2011,
Journal in Computer Virology.
[12]
Babak Bashari Rad,et al.
Metamorphic Virus Variants Classification Using Opcode Frequency Histogram
,
2011,
ArXiv.