Babak Bashari Rad,Maslin Masrom

DOI: https://doi.org/10.48550/arXiv.1104.3228

2011-04-16

Abstract:In order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus software, metamorphic viruses use several various obfuscation approaches. They transform their code in new instances as look entirely or partly different and contain dissimilar sequences of string, but their behavior and function remain unchanged. This obfuscation process allows them to stay away from the string based signature detection. In this research, we use a statistical technique to compare the similarity between two files infected by two morphed versions of a given metamorphic virus. Our proposed solution based on static analysis and it uses the histogram of machine instructions frequency in various offspring of obfuscated viruses. We use Euclidean histogram distance metric to compare a pair of portable executable (PE) files. The aim of this study is to show that for some particular obfuscation methods, the presented solution can be exploited to detect morphed varieties of a file. Hence, it can be utilized by non-string based signature scanning to identify whether a file is a version of a metamorphic virus or not.

Cryptography and Security

Reza Mirzazadeh,Mohammad Hossein Moattar,Majid Vafaei Jahan

DOI: https://doi.org/10.48550/arXiv.1811.04304

2018-11-11

Abstract:The most common malware detection approaches which are based on signature matching and are not sufficient for metamorphic malware detection, since virus kits and metamorphic engines can produce variants with no resemblance to one another. Metamorphism provides an efficient way for eluding malware detection software kits. Code obfuscation methods like dead-code insertion are also widely used in metamorphic malware. In order to address the problem of detecting mutated generations, we propose a method based on Opcode Graph Similarity (OGS). OGS tries to detect metamorphic malware using the similarity of opcode graphs. In this method, all nodes and edges have a respective effect on classification, but in the proposed method, edges of graphs are pruned using Linear Discriminant Analysis (LDA). LDA is based on the concept of searching for a linear combination of predictors that best separates two or more classes. Most distinctive edges are identified with LDA and the rest of edges are removed. The metamorphic malware families considered here are NGVCK and metamorphic worms that we denote these worms as MWOR. The results show that our approach is capable of classifying metamorphosed instances with no or minimum false alarms. Also, our proposed method can detect NGVCK and MWOR with high accuracy rate.

Cryptography and Security

Moustafa Saleh

DOI: https://doi.org/10.48550/arXiv.1206.5871

2013-12-15

Abstract:Metamorphic viruses are considered the most dangerous of all computer viruses. Unlike other computer viruses that can be detected statically using static signature technique or dynamically using emulators, metamorphic viruses change their code to avoid such detection techniques. This makes metamorphic viruses a real challenge for computer security researchers. In this thesis, we investigate the techniques used by metamorphic viruses to alter their code, such as trivial code insertion, instructions substitution, subroutines permutation and register renaming. An in-depth survey of the current techniques used for detection of this kind of viruses is presented. We discuss techniques that are used by commercial antivirus products, and those introduced in scientific researches. Moreover, a novel approach is then introduced for metamorphic virus recognition based on unsupervised machine learning generally and Eigenfaces technique specifically which is widely used for face recognition. We analyze the performance of the proposed technique and show the experimental results compared to results of well-known antivirus engines. Finally, we discuss the future and potential enhancements of the proposed approach to detect more and other target viruses.

Cryptography and Security

Zhi Xin,Huiyu Chen,Hao Han,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-18178-8_16

2011-01-01

Abstract:Program obfuscation techniques have been widely used by malware to dodge the scanning from anti-virus detectors. However, signature based on the data structures appearing in the runtime memory makes traditional code obfuscation useless. Laika [2] implements this signature using Bayesian unsupervised learning, which clusters similar vectors of bytes in memory into the same class. We present a novel malware obfuscation technique that automatically obfuscate the data structure layout so that memory similarities between malware programs are blurred and hardly recognized. We design and implement the automatic data structure obfuscation technique as a GNU GCC compiler extension that can automatically distinguish the obfuscability of the data structures and convert part of the unobfuscable data structures into obfuscable. After evaluated by fourteen real-world malware programs, we present that our tool maintains a high proportion of obfuscated data structures as 60.19% for type and 60.49% for variable.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Pooria Madani

2024-10-31

Abstract:Code metamorphism refers to a computer programming exercise wherein the program modifies its own code (partial or entire) consistently and automatically while retaining its core functionality. This technique is often used for online performance optimization and automated crash recovery in certain mission-critical applications. However, the technique has been misappropriated by malware creators to bypass signature-based detection measures instituted by anti-malware engines. However, current code mutation engines used by threat actors offer only a limited degree of mutation, which is frequently detectable via static code analysis. The advent of large language models (LLMs), such as ChatGPT 4.0 and Google Bard may lead to a significant evolution in this landscape. These models have demonstrated a level of algorithm comprehension and code synthesis capability that closely resembles human abilities. This advancement has sparked concerns among experts that such models could be exploited by threat actors to generate sophisticated metamorphic malware. This paper explores the potential of several prominent LLMs for software code mutation that may be used to reconstruct (with mutation) existing malware code bases or create new forms of embedded mutation engines for next-gen metamorphic malwares. In this work, we introduce a framework for creating self-testing program mutation engines based on LLM/Transformer-based models. The proposed framework serves as an essential tool in testing next-gen metamorphic malware detection engines.

Cryptography and Security,Machine Learning

Alberto Redondo,David Rios Insua

DOI: https://doi.org/10.48550/arXiv.1911.03653

2019-11-09

Abstract:Malware constitutes a major global risk affecting millions of users each year. Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example.

Cryptography and Security,Machine Learning

Wei Yang,Deguang Kong,Tao Xie,Carl A. Gunter

DOI: https://doi.org/10.1145/3134600.3134642

2017-01-01

Abstract:Existing techniques on adversarial malware generation employ feature mutations based on feature vectors extracted from malware. However, most (if not all) of these techniques suffer from a common limitation: feasibility of these attacks is unknown. The synthesized mutations may break the inherent constraints posed by code structures of the malware, causing either crashes or malfunctioning of malicious payloads. To address the limitation, we present Malware Recomposition Variation (MRV), an approach that conducts semantic analysis of existing malware to systematically construct new malware variants for malware detectors to test and strengthen their detection signatures/models. In particular, we use two variation strategies (i.e., malware evolution attack and malware confusion attack) following structures of existing malware to enhance feasibility of the attacks. Upon the given malware, we conduct semantic-feature mutation analysis and phylogenetic analysis to synthesize mutation strategies. Based on these strategies, we perform program transplantation to automatically mutate malware bytecode to generate new malware variants. We evaluate our MRV approach on actual malware variants, and our empirical evaluation on 1,935 Android benign apps and 1,917 malware shows that MRV produces malware variants that can have high likelihood to evade detection while still retaining their malicious behaviors. We also propose and evaluate three defense mechanisms to counter MRV.

Ming Xu,Lingfei Wu,Shuhui Qi,Jian Xu,Haiping Zhang,Yizhi Ren,Ning Zheng

DOI: https://doi.org/10.1007/s11416-012-0175-y

2013-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:Code obfuscating technique plays a significant role to produce new obfuscated malicious programs, generally called malware variants, from previously encountered malwares. However, the traditional signature-based malware detecting method is hard to recognize the up-to-the-minute obfuscated malwares. This paper proposes a method to identify the malware variants based on the function-call graph. Firstly, the function-call graphs were created from the disassembled codes of program; then the caller–callee relationships of functions and the operational code (opcode) information about functions, combining the graph coloring techniques were used to measure the similarity metric between two function-call graphs; at last, the similarity metric was utilized to identify the malware variants from known malwares. The experimental results show that the proposed method is able to identify the obfuscated malicious softwares effectively.

Jeet Patil

DOI: https://doi.org/10.22214/ijraset.2023.57836

2024-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Among the more well-known types of automatic detection technology, malware detection includes detection and protection methods against viruses caused by viruses, worms, Trojan horses, spyware, and various types of malicious code. Failure to find a malware program at its inception leaves a space where it will send a significant threat and value to online security not only for individuals, organizations but also the community and the nation. And it seems that antivirus software may fail to detect viruses if it is not updated on a website with an anti-virus engine. The great struggle is to find a new virus because when it encounters new malware behavior, it takes a series of steps based on established law. If the rule of law determines thatthe new behavior is safe the virus remains undetected.

English Else

Shirish Singh,Gail Kaiser

DOI: https://doi.org/10.48550/arXiv.2104.13295

2021-04-28

Abstract:Machine learning-based malware detection systems are often vulnerable to evasion attacks, in which a malware developer manipulates their malicious software such that it is misclassified as benign. Such software hides some properties of the real class or adopts some properties of a different class by applying small perturbations. A special case of evasive malware hides by repackaging a bonafide benign mobile app to contain malware in addition to the original functionality of the app, thus retaining most of the benign properties of the original app. We present a novel malware detection system based on metamorphic testing principles that can detect such benign-seeming malware apps. We apply metamorphic testing to the feature representation of the mobile app rather than to the app itself. That is, the source input is the original feature vector for the app and the derived input is that vector with selected features removed. If the app was originally classified benign and is indeed benign, the output for the source and derived inputs should be the same class, i.e., benign, but if they differ, then the app is exposed as likely malware. Malware apps originally classified as malware should retain that classification since only features prevalent in benign apps are removed. This approach enables the machine learning model to classify repackaged malware with reasonably few false negatives and false positives. Our training pipeline is simpler than many existing ML-based malware detection methods, as the network is trained end-to-end to learn appropriate features and perform classification. We pre-trained our classifier model on 3 million apps collected from the widely-used AndroZoo dataset. We perform an extensive study on other publicly available datasets to show our approach's effectiveness in detecting repackaged malware with more than94% accuracy, 0.98 precision, 0.95 recall, and 0.96 F1 score.

Cryptography and Security,Software Engineering

Alain Menelet,Charles-Edmond Bichot

DOI: https://doi.org/10.48550/arXiv.2104.03586

2021-04-08

Abstract:The Android operating system is the most spread mobile platform in the world. Therefor attackers are producing an incredible number of malware applications for Android. Our aim is to detect Android's malware in order to protect the user. To do so really good results are obtained by dynamic analysis of software, but it requires complex environments. In order to achieve the same level of precision we analyze the machine code and investigate the frequencies of ngrams of opcodes in order to detect singular code blocks. This allow us to construct a database of infected code blocks. Then, because attacker may modify and organized differently the infected injected code in their new malware, we perform not only a semantic comparison of the tested software with the database of infected code blocks but also a structured comparison. To do such comparison we compute subgraph isomorphism. It allows us to characterize precisely if the tested software is a malware and if so in witch family it belongs. Our method is tested both on a laboratory database and a set of real data. It achieves an almost perfect detection rate.

Cryptography and Security

陈惠羽,茅兵,谢立

DOI: https://doi.org/10.3969/j.issn.1006-6675-B.2012.02.046

2012-01-01

Abstract:Metamorphism and polymorphism are often applied on some malwares to protect their programs against reverse engineering or detected by some anti virus products. However, data structure information based malware signatures invalidate traditional metamorphic technologies. In this paper, we propose a metamorphism tool, which obfuscates data structure in binary code level. This obfuscation technology is more flexible compared to the previous randomizations. Preliminary experimental results show that our tool could obfuscate data structure remarkably with little performance overhead.

S M Rakib Hasan,Aakar Dhakal

2024-04-03

Abstract:In the era of the internet and smart devices, the detection of malware has become crucial for system security. Malware authors increasingly employ obfuscation techniques to evade advanced security solutions, making it challenging to detect and eliminate threats. Obfuscated malware, adept at hiding itself, poses a significant risk to various platforms, including computers, mobile devices, and IoT devices. Conventional methods like heuristic-based or signature-based systems struggle against this type of malware, as it leaves no discernible traces on the system. In this research, we propose a simple and cost-effective obfuscated malware detection system through memory dump analysis, utilizing diverse machine-learning algorithms. The study focuses on the CIC-MalMem-2022 dataset, designed to simulate real-world scenarios and assess memory-based obfuscated malware detection. We evaluate the effectiveness of machine learning algorithms, such as decision trees, ensemble methods, and neural networks, in detecting obfuscated malware within memory dumps. Our analysis spans multiple malware categories, providing insights into algorithmic strengths and limitations. By offering a comprehensive assessment of machine learning algorithms for obfuscated malware detection through memory analysis, this paper contributes to ongoing efforts to enhance cybersecurity and fortify digital ecosystems against evolving and sophisticated malware threats. The source code is made open-access for reproducibility and future research endeavours. It can be accessed at

Cryptography and Security,Computation and Language,Machine Learning

Hashem Hashemi,Amin Azmoodeh,Ali Hamzeh,Sattar Hashemi

DOI: https://doi.org/10.1007/s11416-016-0278-y

2016-05-19

Journal of Computer Virology and Hacking Techniques

Abstract:Malware is any type of computer program which is developed to harm computers, networks, and information. Noticeable growth of malware development has made computer and network security a significant and challenging area in recent years. There is an intensive competition between malwares and antiviruses. Malware authors make every effort to develop new harmful codes using various programming tricks and exploits which are unseen for detection techniques. On the other hand, antivirus developers upgrade their methods and algorithms to recognize unknown malware. Therefore, an accurate and rapid detection method is an irrefutable demand in computer security area. This paper proposes a new malware detection method based on the OpCodes within an executable file. Proposed method generates a graph of operational codes (OpCode) within an executable file and then embeds this graph into eigenspace using “Power Iteration” method. This will help us represent an executable file as a linear combination of eigenvectors proportionate to their eigenvalues, which is beneficial to train machine learning classifiers such as k-nearest neighbor (KNN) and support vector machine (SVM). The main advantages of our proposed method are high detection rate despite utilizing simple classifiers like KNN, acceptable computational complexity even in large scale datasets against rival methods, and low false positive rate.

Cengiz Acarturk,Melih Sirlanci,Pinar Gurkan Balikcioglu,Deniz Demirci,Nazenin Sahin,Ozge Acar Kucuk

DOI: https://doi.org/10.48550/arXiv.2101.05646

2021-01-14

Cryptography and Security

Abstract:Malicious software threats and their detection have been gaining importance as a subdomain of information security due to the expansion of ICT applications in daily settings. A major challenge in designing and developing anti-malware systems is the coverage of the detection, particularly the development of dynamic analysis methods that can detect polymorphic and metamorphic malware efficiently. In the present study, we propose a methodological framework for detecting malicious code by analyzing run trace outputs by Long Short-Term Memory (LSTM). We developed models of run traces of malicious and benign Portable Executable (PE) files. We created our dataset from run trace outputs obtained from dynamic analysis of PE files. The obtained dataset was in the instruction format as a sequence and was called Instruction as a Sequence Model (ISM). By splitting the first dataset into basic blocks, we obtained the second one called Basic Block as a Sequence Model (BSM). The experiments showed that the ISM achieved an accuracy of 87.51% and a false positive rate of 18.34%, while BSM achieved an accuracy of 99.26% and a false positive rate of 2.62%.

Sanjay K. Sahay,Ashu Sharma

DOI: https://doi.org/10.48550/arXiv.1606.06908

2016-06-22

Abstract:The metamorphic malware variants with the same malicious behavior (family), can obfuscate themselves to look different from each other. This variation in structure leads to a huge signature database for traditional signature matching techniques to detect them. In order to effective and efficient detection of malware in large amounts of executables, we need to partition these files into groups which can identify their respective families. In addition, the grouping criteria should be chosen such a way that, it can also be applied to unknown files encounter on computers for classification. This paper discusses the study of malware and benign executables in groups to detect unknown malware with high accuracy. We studied sizes of malware generated by three popular second generation malware (metamorphic malware) creator kits viz. G2, PS-MPC and NGVCK, and observed that the size variation in any two generated malware from same kit is not much. Hence, we grouped the executables on the basis of malware sizes by using Optimal k-Means Clustering algorithm and used these obtained groups to select promising features for training (Random forest, J48, LMT, FT and NBT) classifiers to detect variants of malware or unknown malware. We find that detection of malware on the basis of their respected file sizes gives accuracy up to 99.11% from the classifiers.

Cryptography and Security,Artificial Intelligence

Shanhu Shang,Ning Zheng,Jian Xu,Ming Xu,Haiping Zhang

DOI: https://doi.org/10.1109/malware.2010.5665787

2010-01-01

Abstract:Currently, signature-based malware scanning is still the dominant approach to identify malware samples in the wild due to its low false positive rate. However, this approach concentrates on programs' specific instructions, and lacks insight into high level semantics; it is enduring challenges from advanced code obfuscation techniques such as polymorphism and metamorphism. To overcome this shortcoming, this paper extracts a program's function-call graph as its signature. The paper presents a method to compute similarity between two binaries on basis of their function-call graph similarity. The proposed method relies on static analysis of a program, it first disassembles the program into assemble code, and then it uses a novel algorithm to construct the function-call graph from the assembly instructions. After that, it proposes a simple but effective graph matching method to compute similarity between two binaries. A prototype is implemented and evaluated on several well-known malware families and benign programs.

Rami Sihwail,Khairuddin Omar,Khairul Akram Zainol Ariffin,Sanad Al Afghani,Khairul Zainol Ariffin

DOI: https://doi.org/10.3390/app9183680

2019-09-05

Applied Sciences

Abstract:The need to detect malware before it harms computers, mobile phones and other electronic devices has caught the attention of researchers and the anti-malware industry for many years. To protect users from malware attacks, anti-virus software products are downloaded on the computer. The anti-virus mainly uses signature-based techniques to detect malware. However, this technique fails to detect malware that uses packing, encryption or obfuscation techniques. It also fails to detect unseen (new) ones. This paper proposes an integrated malware detection approach that applies memory forensics to extract malicious artifacts from memory and combines them to features extracted during the execution of malware in a dynamic analysis. Pre-modeling techniques were also applied for feature engineering before training and testing the data set on the machine learning models. The experimental results show a significant improvement in both detection accuracy rate and false positive rate, 98.5% and 1.7% respectively, by applying the support vector machine. The results verify that our integrated analysis approach outperforms other analysis methods. In addition, the proposed approach overcomes the limitation of single path file execution in dynamic analysis by adding more relevant memory artifacts that can reveal the real intention of malicious files.

K. Mclaughlin,Philip O'Kane,S. Sezer

DOI: https://doi.org/10.1109/MSP.2011.98

2011-09-01

Abstract:A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of malware, undermine antimalware software, and thwart malware analysis. Malware writers use packers, polymorphic techniques, and metamorphic techniques to evade intrusion detection systems. The need exists for new antimalware approaches that focus on what malware is doing rather than how it's doing it.

Computer Science