Abstract
Metamorphic viruses are particularly insidious as they change their form at each infection, thus making detection hard. Many techniques have been proposed to produce metamorphic malware, and many approaches have been explored to detect it. This paper introduces a detection technique that relies on the assumption that a side effect of the most common metamorphic engines is the dissemination of a high number of repeated instructions in the body of the virus program. We have evaluated our technique on a population of 1,000 programs and the experimentation outcomes indicate that it is accurate in classifying metamorphic viruses and viruses of other nature, too. Virus writers use to introduce code from benign files in order to evade antivirus; our technique is able to recognize virus even if benign code is added to it.
Similar content being viewed by others
References
Anderson, B., et al.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)
Ayock, J.: Computer Virus and Malware. Springer, Berlin (2006)
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2, 67–77 (2006)
Chouchane, M., Lakhotia, A.: Using engine signature to detect metamorphic malware. In: Proceedings of the 4th ACM Workshop on Recurring Malcode, pp 73–78 (2006)
Christodorescu M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Conference on USENIX Security Symposium (2003)
Al Daoud, E., Jebril, I.H., Zaqaibeh, B.: Computer virus strategies and detection methods. Int. J. Open Probl. Comput. Math. 1(2), 12–20 (2008)
Al Daoud, E., Al-Shbail, A., Al-Smadi, A.M.: Detecting metamorphic viruses by using arbitrary length of control flow graphs and nodes alignment. UbiCC J 4(3), 628–633 (2009)
Al Daoud, E.: Metamorphic viruses detection using artificial immune system. In: Proceedings of ICCSN, pp 168–172 (2009)
Deshpande, S.: Eigenvalue analysis for metamorphic detection. Master’s Projects. Paper 279. http://scholarworks.sjsu.edu/etd_projects/279 (2012)
Eskandari, M., Hashemi, S.: Metamorphic malware detection using control flow graph mining. Int J Comput Sci Netw Secur 11(12), 1–6 (2011)
Ferrie, P., Szor, P.: Zmist opportunities. Virus Bulletin, pp. 6–7 (2001)
Ferrie, P., Szor, P.: Hunting for Metamorphic. Symantec Security Response (2001). http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
Finones, R.G., Fernandez, R.T.: Solving the metamorphic puzzle. Virus Bulletin, pp. 14–19 (2006).
Govindaraju, A.: Exhaustive statistical analysis for detection of metamorphic malwares. Master’s project report, Department of Computer Science, San Jose State University (2010)
Gupta, S.: Code Obfuscation. http://palizine.plynt.com/issues/2005Aug/code-obfuscation/. Last visit 08/01/2012
Konstantinou, E., Wolthusen, S.: Metamorphic Virus: Analysis and Detection. Royal Holloway University of London (2008)
Lee, J., Jeong, K., Lee, H.: Detecting metamorphic malwares using code graph. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp 1970–1977 (2010)
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–2014 (2011)
Lin, D.: Hunting for undetectable metamorphic viruses. Master’s projects. Paper 18. http://scholarworks.sjsu.edu/etd_projects/18 (2009)
OECD, Malicious software (malware): a security threat to the internet economy (2008)
Runwal, N., Low, R.M., Stamp, M.: Op-code graph similarity and metamorphic detection. J. Comput. Virol. 8: 37–52 (2012)
Saleh, M.E., Mohamed, A.B., Nabi, A.A.: Eigenviruses for metamorphic virus recognition. Inf. Secur. IET 5(4), 191–198 (2011)
Schmall, M.: Heuristic Techniques in AV Solutions: An Overview. February 2002. http://www.bandwidthco.com/sf_whitepapers/malware/Heuristic%20Techniques%20in%20AV%20Solutions%20-%20An%20Overview.pdf
Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. Hacking Tech. 9(2), 49–58 (2013)
Toderici, A.H., Stamp, M.: Chi squared distance and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 9(1), 1–14 (2013)
Symantec Security Response Team: Symantec internet security threat report. Technical Report X, Symantec Corporation (2006)
Szor, P.: The new 32-bit medusa. Virus Bulletin, pp. 8–10 (2000)
Szor, P.: The Art of Computer Virus Research and Defense, 1 edn. Addison Wesley Professional, Boston (2005)
Vimod, P., Laxmi, V., Kumar, P., Chundawat, Y.S.: Metamorphic virus detections through static code analysis. In: Proceedings of US Workshop and Conference on Cyber Security, Cyber Crime and Forensics (2009)
Wong, W., Stamp, M.: Hunting for metamorphic engines. J. Comput. Virol. 2(3), 211–229 (2006)
Wong, W.: Analysis and detection of metamorphic computer viruses. Master Projects. Paper 153 (2006). http://scholarworks.sjsu.edu/etd_projects/153
http://www.cs.waikato.ac.nz/ml/weka/, Last visit 08/01/2012
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Canfora, G., Iannaccone, A.N. & Visaggio, C.A. Static analysis for the detection of metamorphic computer viruses using repeated-instructions counting heuristics. J Comput Virol Hack Tech 10, 11–27 (2014). https://doi.org/10.1007/s11416-013-0189-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-013-0189-0