Skip to main content
SpringerLink
Log in

Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Metamorphic viruses are particularly insidious as they change their form at each infection, thus making detection hard. Many techniques have been proposed to produce metamorphic malware, and many approaches have been explored to detect it. This paper introduces a detection technique that relies on the assumption that a side effect of the most common metamorphic engines is the dissemination of a high number of repeated instructions in the body of the virus program. We have evaluated our technique on a population of 1,000 programs and the experimentation outcomes indicate that it is accurate in classifying metamorphic viruses and viruses of other nature, too. Virus writers use to introduce code from benign files in order to evade antivirus; our technique is able to recognize virus even if benign code is added to it.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

References

  1. Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)

    Article  Google Scholar 

  2. Ayock, J.: Computer Virus and Malware. Springer, Berlin (2006)

    Google Scholar 

  3. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)

    Google Scholar 

  4. Chouchane, M., Lakhotia, A.: Using engine signature to detect metamorphic malware. In: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp 73–78 (2006)

  5. Christodorescu M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Conference on USENIX Security Symposium (2003)

  6. Al Daoud, E., Jebril, I.H., Zaqaibeh, B.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Math. 1(2), 12–20 (2008)

    Google Scholar 

  7. Al Daoud, E., Al-Shbail, A., Al-Smadi, A.M.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. UbiCC J 4(3), 628–633 (2009)

    Google Scholar 

  8. Al Daoud, E.: Metamorphic viruses detection using artificial immune system. In: Proceedings of ICCSN, pp 168–172 (2009)

  9. Deshpande, S.: Eigenvalue analysis for metamorphic detection. Master’s Projects. Paper 279. http://scholarworks.sjsu.edu/etd_projects/279 (2012)

  10. Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int J Comput Sci Netw Secur 11(12), 1–6 (2011)

    Google Scholar 

  11. Ferrie, P., Szor, P.: Zmist opportunities. Virus Bulletin, pp. 6–7 (2001)

  12. Ferrie, P., Szor, P.: Hunting for Metamorphic. Symantec Security Response (2001). http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

  13. Finones, R.G., Fernandez, R.T.: Solving the metamorphic puzzle. Virus Bulletin, pp. 14–19 (2006).

  14. Govindaraju, A.: Exhaustive statistical analysis for detection of metamorphic malwares. Master’s project report, Department of Computer Science, San Jose State University (2010)

  15. Gupta, S.: Code Obfuscation. http://palizine.plynt.com/issues/2005Aug/code-obfuscation/. Last visit 08/01/2012

  16. Konstantinou, E., Wolthusen, S.: Metamorphic Virus: Analysis and Detection. Royal Holloway University of London (2008)

  17. Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graph. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp 1970–1977 (2010)

  18. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–2014 (2011)

    Google Scholar 

  19. Lin, D.: Hunting for undetectable metamorphic viruses. Master’s projects. Paper 18. http://scholarworks.sjsu.edu/etd_projects/18 (2009)

  20. OECD, Malicious software (malware): a security threat to the internet economy (2008)

  21. Runwal, N., Low, R.M., Stamp, M.: Op-code graph similarity and metamorphic detection. J. Comput. Virol. 8: 37–52 (2012)

    Google Scholar 

  22. Saleh, M.E., Mohamed, A.B., Nabi, A.A.: Eigenviruses for metamorphic virus recognition. Inf. Secur. IET 5(4), 191–198 (2011)

    Article  Google Scholar 

  23. Schmall, M.: Heuristic Techniques in AV Solutions: An Overview. February 2002. http://www.bandwidthco.com/sf_whitepapers/malware/Heuristic%20Techniques%20in%20AV%20Solutions%20-%20An%20Overview.pdf

  24. Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)

    Google Scholar 

  25. Toderici, A.H., Stamp, M.: Chi squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)

    Google Scholar 

  26. Symantec Security Response Team: Symantec internet security threat report. Technical Report X, Symantec Corporation (2006)

  27. Szor, P.: The new 32-bit medusa. Virus Bulletin, pp. 8–10 (2000)

  28. Szor, P.: The Art of Computer Virus Research and Defense, 1 edn. Addison Wesley Professional, Boston (2005)

  29. Vimod, P., Laxmi, V., Kumar, P., Chundawat, Y.S.: Metamorphic virus detections through static code analysis. In: Proceedings of US Workshop and Conference on Cyber Security, Cyber Crime and Forensics (2009)

  30. Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)

    Article  Google Scholar 

  31. Wong, W.: Analysis and detection of metamorphic computer viruses. Master Projects. Paper 153 (2006). http://scholarworks.sjsu.edu/etd_projects/153

  32. http://www.cs.waikato.ac.nz/ml/weka/, Last visit 08/01/2012

Download references

Author information

Authors and Affiliations

  1. Department of Engineering, Università degli Studi del Sannio, Piazza Guerrazzi, 1, 82100 , Benevento, Italy

    Gerardo Canfora, Antonio Niccolò Iannaccone & Corrado Aaron Visaggio

Authors
  1. Gerardo Canfora
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Niccolò Iannaccone
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Corrado Aaron Visaggio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Corrado Aaron Visaggio.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Canfora, G., Iannaccone, A.N. & Visaggio, C.A. Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J Comput Virol Hack Tech 10, 11–27 (2014). https://doi.org/10.1007/s11416-013-0189-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-013-0189-0

Keywords

Search

Navigation