research-article

MetaHunt: Towards Taming Malware Mutation via Studying the Evolution of Metamorphic Virus

Authors:

Dinghao WuAuthors Info & Claims

SPRO'19: Proceedings of the 3rd ACM Workshop on Software Protection

Pages 15 - 26

https://doi.org/10.1145/3338503.3357720

Published: 15 November 2019 Publication History

Abstract

As the underground industry of malware prospers, malware developers consistently attempt to camouflage malicious code and undermine malware detection with various obfuscation schemes. Among them, metamorphism is known to have the potential to defeat the popular signature-based malware detection. A metamorphic malware sample mutates its code during propagations so that each instance of the same family exhibits little resemblance to another variant. Especially with the development of compiler and binary rewriting techniques, metamorphic malware will become much easier to develop and outbreak eventually. To fully understand the metamorphic engine, the core part of the metamorphic malware, we attempt to systematically study the evolution of metamorphic malware over time. Unlike the previous work, we do not require any prior knowledge about the metamorphic engine in use. Instead, we perform trace-based semantic binary diffing to compare mutation code iteratively and memoize semantically equivalent basic blocks. We have developed a prototype, called MetaHunt, and evaluated it with 1,400 metamorphic malware variants. Our experimental results show that MetaHunt can accurately capture the semantics of unknown metamorphic engines, and all of the comparisons converge in a reasonable time. Besides, MetaHunt identifies several metamorphic engine bugs, which lead to a semantics-breaking transformation. We summarize our experience learned from our empirical study, hoping to stimulate designing mutation-aware solutions to defend this threat proactively.

References

[1]

Shahid Alam, Issa Traore, and Ibrahim Sogukpinar. 2014. Current Trends and the Future of Metamorphic Malware Detection. In Proceedings of the 7th International Conference on Security of Information and Networks (SIN'14).

Digital Library

[2]

Kapil Anand, Matthew Smithson, Khaled Elwazeer, Aparna Kotha, Jim Gruen, Nathan Giles, and Rajeev Barua. 2013. A Compiler-level Intermediate Representation Based Binary Analysis and Rewriting System. In Proceedings of the 8th ACM European Conference on Computer Systems (EuroSys'13).

Digital Library

[3]

Philippe Beaucamps. 2007. Advanced Metamorphic Techniques in Computer Viruses. In Proceedings of the 2007 International Conference on Computer, Electrical, and Systems Science, and Engineering (CESSE'07).

[4]

D. Bruschi, L. Martignoni, and M. Monga. 2006. Detecting Self-mutating Malware Using Control-Flow Graph Matching. In Proceedings of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'06).

[5]

Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. 2007. Code Normalization for Self-Mutating Malware. IEEE Security and Privacy, Vol. 5, 2 (2007).

Digital Library

[6]

Lorenzo Cavallaro. 2014. Malicious Software and its Underground Economy. https://www.coursera.org/course/malsoftware.

[7]

L. Cavallaro, P. Saxena, and R. Sekar. 2008. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In Proceedings of the GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA'08).

[8]

Sang Kil Cha, Iulian Moraru, Jiyong Jang, John Truelove, David Brumley, and David G. Andersen. 2010. SplitScreen: Enabling Efficient, Distributed Malware Detection. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation (NSDI'10).

[9]

Mohamed R. Chouchane and Arun Lakhotia. 2006. Using Engine Signature to Detect Metamorphic Malware. In Proceedings of the 4th ACM Workshop on Recurring Malcode (WORM'06).

[10]

Mohamed R. Chouchane, Andrew Walenstein, and Arun Lakhotia. 2007. Statistical Signatures for Fast Filtering of Instruction-substituting Metamorphic Malware. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM'07).

Digital Library

[11]

M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. 2005. Semantics-aware malware detection. In Proc. of the IEEE Symposium on Security and Privacy.

[12]

Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2001. Introduction to Algorithms (Second ed.). MIT Press, Chapter 21: Data structures for Disjoint Sets, 498--524.

[13]

Mila Dalla Preda, Roberto Giacobazzi, and Saumya Debray. 2015. Unveiling me-tamorphism by abstract interpretation of code properties. Theoretical Computer Science 577 (2015), 74--97.

Digital Library

[14]

Mila Dalla Preda, Roberto Giacobazzi, Saumya Debray, Kevin Coogan, and Gregg M Townsend. 2010. Modelling metamorphism by abstract interpretation. In International Static Analysis Symposium. 218--235.

[15]

Yaniv David, Nimrod Partush, and Eran Yahav. 2016. Statistical Similarity of Binaries. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[16]

Yaniv David, Nimrod Partush, and Eran Yahav. 2017. Similarity of Binaries Through Re-optimization. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[17]

Priti Desai and Mark Stamp. 2010. A highly metamorphic virus generator. International Journal of Multimedia Intelligence and Security, Vol. 1, 4 (2010).

[18]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. 2008. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the ACM Conference on Computer and Communications Security (CCS'08).

[19]

The Mental Driller. last reviewed, 04/14/2015. Metamorphism in practice or How I made MetaPHOR and what I've learnt. http://vxheaven.org/lib/vmd01.html.

[20]

Vijay Ganesh and David L. Dill. 2007. A Decision Procedure for Bit-vectors and Arrays. In Proceedings of the 2007 International Conference in Computer Aided Verification (CAV'07).

Digital Library

[21]

Debin Gao, Michael K. Reiter, and Dawn Song. 2008. BinHunt: Automatically finding semantic differences in binary programs. In Poceedings of the 10th International Conference on Information and Communications Security (ICICS'08).

Digital Library

[22]

P. Godefroid, M. Y. Levin, and D. Molnar. 2008. Automated Whitebox Fuzz Testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08).

[23]

Jiyong Jang, Maverick Woo, and David Brumley. 2013. Towards Automatic Software Lineage Inference. In Proceedings of the 22nd USENIX Security Symposium.

[24]

Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM -- Software Protection for the Masses. In Proceedings of the IEEE/ACM 1st International Workshop on Software Protection (SPRO'15).

Digital Library

[25]

Arun Lakhotia, Mila Dalla Preda, and Roberto Giacobazzi. 2013. Fast Location of Similar Code Fragments Using Semantic 'Juice'. In Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop (PPREW'13).

Digital Library

[26]

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization (CGO'04.

[27]

Felix Leder, Bastian Steinbock, and Peter Martini. 2009. Classification and detection of metamorphic malware using value set analysis. In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09).

[28]

Jusuk Lee, Kyoochang Jeong, and Heejo Lee. 2010 Detecting Metamorphic Malwares using Code Graphs. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC'10).

Digital Library

[29]

Lannan Luo, Jiang Ming, Dinghao Wu, Peng Liu, and Sencun Zhu. 2014. Semantics-based Obfuscation-resilient Binary Code Similarity Comparison with Applications to Software Plagiarism Detection. In Proc. of the 22nd ACM SIGSOFT Int'l Symposium on Foundations of Software Engineering (FSE'14).

Digital Library

[30]

Jiang Ming, Meng Pan, and Debin Gao. 2012. iBinHunt: Binary Hunting with Inter-Procedural Control Flow. In Proceedings of the 15th Annual International Conference on Information Security and Cryptology (ICISC'12).

[31]

Jiang Ming, Dongpeng Xu, Li Wang, and Dinghao Wu. 2015b. LOOP: Logic-Oriented Opaque Predicates Detection in Obfuscated Binary Code. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS'15).

Digital Library

[32]

Jiang Ming, Dongpeng Xu, and Dinghao Wu. 2015a. Memoized Semantics-Based Binary Diffing with Application to Malware Lineage Inference. In Proc. of the 30th IFIP Int'l Information Security and Privacy Conference (IFIP SEC'15).

[33]

Vishwath Mohan and Kevin W Hamlen. 2012. Frankenstein: Stitching Malware from Benign Binaries. WOOT, Vol. 12 (2012), 77--84.

[34]

Vinod P. Nair, Harshit Jain, Yashwant K. Golecha, Manoj Singh Gaur, and Vijay Laxmi. 2010. MEDUSA: MEtamorphic Malware Dynamic Analysis Using Signature from API. In Proceedings of the 3rd International Conference on Security of Information and Networks (SIN'10).

[35]

Beng Heng Ng and Atul Prakash. 2013. Exposé: Discovering Potential Binary Code Re-use. In Proceedings of the 37th IEEE Annual Computer Software and Applications Conference (COMPSAC'13).

Digital Library

[36]

Jeong Wook Oh. 2009. Fight against 1-day exploits: Diffing Binaries vs Anti-diffing Binaries. In Proceedings of the 2009 Black Hat USA.

[37]

Philip OKane, Sakir Sezer, and Kieran McLaughlin. 2011. Obfuscation: The Hidden Malware. IEEE Security and Privacy, Vol. 9, 5 (2011).

[38]

Orr. last reviewed, 04/14/2015. The Molecular Virology of Lexotan32: Metamorphism Illustrated. http://www.openrce.org/articles/full_view/29.

[39]

Rodney Owens and Weichao Wang. 2011. Non-normalizable Functions: a New Method to Generate Metamorphic Malware. In Proceedings of the 2011 IEEE Military Communications Conference (MILCOM'11).

[40]

Panda Security. 2017. PandaLabs Annual Report 2017. https://www.pandasecurity.com/mediacenter/src/uploads/2017/11/PandaLabs_Annual_Report_2017.pdf.

[41]

Mathias Payer. 2014. Embracing the new threat: towards automatically, self-diversifying malware. Symposium on Security for Asia Network (SyScan'14).

[42]

Mathias Payer, Stephen Crane, Per Larsen, Stefan Brunthaler, Richard Wartell, and Michael Franz. 2014. Similarity-based matching meets Malware Diversity. arXiv Technical Report (2014).

[43]

Frédéric Perriot, Peter Ferrie, and Péter Ször. 2003. Striking Similarities: Win32/Simile and Metamorphic Virus Code. Symantec Security Response.

[44]

Mila Dalla Preda. 2012. The Grand Challenge in Metamorphic Analysis. In Proceedings of the 6th International Conference on Information Systems, Technology and Management (ICISTM'12).

[45]

Kevin A. Roundy and Barton P. Miller. 2013. Binary-code Obfuscations in Prevalent Packer Tools. Comput. Surveys, Vol. 46, 1 (2013).

[46]

Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A New Approach to Computer Security via Binary Analysis. In Proceedings of the 4th International Conference on Information Systems Security (ICISS'08).

Digital Library

[47]

Peter Szor. 2005. The Art of Computer Virus Research and Defense. Addison-Wesley Professional.

[48]

Péter Ször and Peter Ferrie. 2001. Hunting For Metamorphic. Symantec White Paper.

[49]

Teja Tamboli, Thomas H. Austin, and Mark Stamp. 2014. Metamorphic code generation from LLVM bytecode. Computer Virology and Hacking Techniques, Vol. 10, 3 (2014), 177--187.

[50]

Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane, and Arun Lakhotia. 2008. Constructing malware normalizers using term rewriting. Computer Virology, Vol. 4, 4 (2008), 307--322.

[51]

Shuai Wang, Pei Wang, and Dinghao Wu. 2015. Reassembleable Disassembling. In Proceedings of the 24th USENIX Security Symposium (USENIX Security '15). USENIX Association.

[52]

Shuai Wang, Pei Wang, and Dinghao Wu. 2016. Uroboros: Instrumenting Stripped Binaries with Static Reassembling. In Proceedings of the 23rd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER '16). USENIX Association.

[53]

Matt Webster and Grant Malcolm. 2009. Detection of metamorphic and virtualization-based malware using algebraic specification. Computer Virology, Vol. 5, 3 (2009), 221--245.

[54]

Ryan Welton. 2015. Obfuscating Android Applications using O-LLVM and the NDK. http://fuzion24.github.io/.

[55]

Wing Wong and Mark Stamp. 2006. Hunting for metamorphic engines. Computer Virology, Vol. 2, 3 (2006), 211--229.

[56]

Qinghua Zhang and Douglas S. Reeves. 2007. MetaAware: Identifying Metamorphic Malware. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC'07).

Cited By

Wang LYang YAlavalapati G(2024)Analyzing Implementation-Based SSL/TLS Vulnerabilities with Binary Semantics AnalysisSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_19(371-394)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_19
Coscia ADentamaro VGalantucci SMaci APirlo G(2023)YAMME: a YAra-byte-signatures Metamorphic Mutation EngineIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329405918(4530-4545)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3294059
Sharevski FJevitz S(2021)Message-of-the-Day (MOTD) Banner Language Variations as an Adaptive Honeypot Deterrent of Unauthorized AccessProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470032(1-7)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470032
Show More Cited By

Index Terms

MetaHunt: Towards Taming Malware Mutation via Studying the Evolution of Metamorphic Virus
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Metamorphic virus variants classification using opcode frequency histogram
ICCOMP'10: Proceedings of the 14th WSEAS international conference on Computers: part of the 14th WSEAS CSCC multiconference - Volume I

In order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus softwares, metamorphic viruses use several various obfuscation approaches. They transform their code in new instances as look entirely or ...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISec

A popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...
Malware Detection Method Focusing on Anti-debugging Functions
CANDAR '14: Proceedings of the 2014 Second International Symposium on Computing and Networking

Malware has received much attention in recent years. Antivirus software is widely used as a countermeasure against malware. However, some kinds of malware can evade detection by antivirus software, hence, a new detection method is required. In this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SPRO'19: Proceedings of the 3rd ACM Workshop on Software Protection

November 2019

87 pages

ISBN:9781450368353

DOI:10.1145/3338503

General Chair:
Paolo Falcarin
University of East London, UK
,
Program Chair:
Michael 'MiZu' Zunke
Thales Group, Germany

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 15, 2019

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 8 of 14 submissions, 57%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
236
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang LYang YAlavalapati G(2024)Analyzing Implementation-Based SSL/TLS Vulnerabilities with Binary Semantics AnalysisSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_19(371-394)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_19
Coscia ADentamaro VGalantucci SMaci APirlo G(2023)YAMME: a YAra-byte-signatures Metamorphic Mutation EngineIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329405918(4530-4545)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3294059
Sharevski FJevitz S(2021)Message-of-the-Day (MOTD) Banner Language Variations as an Adaptive Honeypot Deterrent of Unauthorized AccessProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470032(1-7)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470032
Ren XHo MMing JLei YLi LFreund SYahav E(2021)Unleashing the hidden power of compiler optimization on binary code difference: an empirical studyProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454035(142-157)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454035
Zagi LAziz B(2020)Searching for Malware Dataset: a Systematic Literature Review2020 International Conference on Information Technology Systems and Innovation (ICITSI)10.1109/ICITSI50517.2020.9264929(375-380)Online publication date: 19-Oct-2020
https://doi.org/10.1109/ICITSI50517.2020.9264929

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten