article

Compression-based analysis of metamorphic malware

Authors:

Thomas H. Austin,

Mark StampAuthors Info & Claims

International Journal of Security and Networks, Volume 10, Issue 2

Pages 124 - 136

https://doi.org/10.1504/IJSN.2015.070426

Published: 01 July 2015 Publication History

Abstract

Recent work has shown that a technique based on structural entropy measurement provides an effective means of detecting metamorphic malware. This previous work relies on file segmentation using transform techniques. In other previous work, a method based on estimating Kolmogorov complexity using compression ratios has shown promise for malware detection. In this paper, we attempt to improve on these previous techniques by combining the main features of each. Specifically, we use compression ratios and transform techniques for file segmentation. The resulting file segment information is then used to compute scores between pairs of executable files. We test our proposed technique on challenging families of metamorphic malware and we compare our results to relevant previous work.

References

[1]

Austin, T.H., Filiol, E., Josse, S. and Stamp, M. (2013) 'Exploring hidden Markov models for virus analysis: a semantic approach', 46th Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society, pp.5039-5048.

Digital Library

[2]

Aycock, J. (2006) Computer Viruses and Malware, Springer, New York.

[3]

Baysa, D., Low, R.M. and Stamp, M. (2013) 'Structural entropy and metamorphic malware', Journal of Computer Virology and Hacking Techniques, Vol. 9, No. 4, pp.179-192.

[4]

Beaucamps, P. (2007a) 'Advanced metamorphic techniques in computer viruses', International Conference on Computer, Electrical, and Systems Science, and Engineering (CESSE'07), Venice, Italy.

[5]

Beaucamps, P. (2007b) 'Advanced polymorphic techniques', International Journal of Computer Science, Vol. 2, No. 3, pp.194-205.

[6]

Borello, J. and Me, L. 'Code obfuscation techniques for metamorphic viruses', Journal in Computer Virology, Vol. 4, No. 3, pp.211-220.

[7]

Cesare, S. (2011) Survey in Static Detection of Malware, http://www.scribd.com/doc/79048563/Survey-in-Static-Detection-of-Malware (retrieved on December 2012).

[8]

Christodorescu, M. and Jha, S. (2004) 'Testing malware detectors', Proceedings of the ACM SIGSOFT international Symposium on Software Testing and Analysis (ISSTA'04), pp.34-44.

Digital Library

[9]

Cormen, T.H., Leiserson, C.E., Rivest, R.L. and Stein, C. (2009) Introduction to Algorithms, 3rd ed., The MIT Press, Cambridge, Massachusetts.

[10]

Cormode, G. and Muthukrishnan, S. (2007) 'The string edit distance matching problem with moves', ACM Trans. Algorithms, Vol. 3, No. 1, Article 2, pp.2:1-2:19.

Digital Library

[11]

Cygwin (2013) Cygwin Utility Files, http://www.cygwin.com/

[12]

Deng, W., Liu, Q., Cheng, H. and Qin, Z. (2011) 'A malware detection framework based on Kolmogorov complexity', Journal of Computational Information Systems, Vol. 7, No. 8, pp.2687-2694.

[13]

Filiol, E. (2007) 'Metamorphism, formal grammars and undecidable code mutation', International Journal of Electrical and Computer Engineering, Vol. 2, No. 1, pp.70-75.

[14]

Gzip (2013) manpagez: man (manual) pages & more, http://www.manpagez.com/man/1/gzip/

[15]

Konstantinou, E. (2008) Metamorphic Virus: Analysis and Detection, Technical Report, RHUL-MA-2008-02.

[16]

Leder, F., Steinbock, B. and Martini, P. (2009) 'Classification and detection of metamorphic malware using value set analysis', 2009 4th International Conference on Malicious and Unwanted Software (MALWARE), Vol. 13, No. 14, pp.39-46.

[17]

Lee, J. (2014) Compression-Based Analysis of Metamorphic Malware, Master's thesis, Department of Computer Science, San Jose State University.

[18]

Lin, D. (2009) Hunting for Undetectable Metamorphic Viruses, Master's Projects, Paper 144.

[19]

Lyda, R. and Hamrock, J. (2007) 'Using entropy analysis to find encrypted and packed malware', IEEE Security and Privacy, Vol. 5, No. 2, March, pp.40-45.

Digital Library

[20]

Rabiner, L.R. (1989) 'A tutorial on hidden Markov models and selected applications in speech recognition', Proceedings of the IEEE, Vol. 77, No. 2, pp.257-286.

[21]

Runwal, N., Low, R.M. and Stamp, M. (2012) 'Opcode graph similarity and metamoprhic detection', Journal in Computer Virology, Vol. 8, Nos. 1-2, May, pp.37-52.

Digital Library

[22]

Sorokin, I. (2011) 'Comparing files using structural entropy', Journal in Computer Virology, Vol. 7, No. 4, pp.259-265.

Digital Library

[23]

Sridhara, S. and Stamp, M. (2013) 'Metamorphic worm that carries its own morphing engine', Journal of Computer Virology and Hacking Techniques, Vol. 9, No. 2, May, pp.49-58.

Digital Library

[24]

Stamp, M. (2004) A Revealing Introduction to Hidden Markov Models, http://www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf (retrieved on December 2012).

[25]

Stamp, M. (2011) Information Security: Principles and Practice, 2nd ed., Wiley, Hoboken, New Jersey.

[26]

Van Fleet, P. (2007) 'The discrete Haarwavelet transformation', Joint Mathematical Meetings, New Orleans, Louisiana, pp.25-31.

[27]

Virus files (2013) Virus Files, Department of Computer Science, San Jose State University.

[28]

VX Heaven (2013) Next Generation Virus Construction Kit, http://vxheaven.org/vx.php?id=tn02

[29]

Wagner, R.A. and Fischer, M.J. (1974) 'The string-to-string correction problem', Journal of the ACM (JACM),Vol. 21, No. 1, pp.168-173.

Digital Library

[30]

Warnock, D. and Peck, C. (2010) 'A roadmap for biomarker qualification', Nature Biotechnology, Vol. 28, pp.444-445.

[31]

Warrior, R. (1996) Guide to Improving Polymorphic Engines, VX Heavens, http://vxheaven.org/lib/static/vdat/tumisc17.htm

[32]

Wicherski, G. (2009) 'peHash: a novel approach to fast malware clustering', Proceedings of thend USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), Boston, Massachusetts.

[33]

Wong, W. and Stamp, M. (2006) 'Hunting for metamorphic engines', Journal in Computer Virology, Vol. 2, No. 3, pp.211-229.

[34]

You, I. and Yim, K. (2010) 'Malware obfuscation techniques: a brief survey', 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA), November, pp.297-300.

Digital Library

[35]

Zbitskiy, P. (2009) 'Code mutation techniques by means of formal grammars and automatons', Journal in Computer Virology, Vol. 5, No. 3, August, pp.199-207.

[36]

Zhang, Q. and Reeves, D. (2007) 'MetaAware: identifying metamorphic malware', ACSAC, IEEE Computer Society, pp.411-420.

[37]

Zhou, Y. and Inge, M. (2008) 'Malware detection using adaptive data compression', AISec '08 Proceedings of the 1st ACM Workshop on Workshop on AISec, pp.53-60.

Digital Library

[38]

Ziviani, A., Gomes, A., Monsores, M. and Rodrigues, P. (2007) 'Network anomaly detection using nonextensive entropy', IEEE Communications Letters, Vol. 11, No. 12, December, pp.1034-1036.

Cited By

Babaagba KWylie JSilva SPaquete L(2023)An Evolutionary based Generative Adversarial Network Inspired Approach to Defeating Metamorphic MalwareProceedings of the Companion Conference on Genetic and Evolutionary Computation10.1145/3583133.3596362(1753-1759)Online publication date: 15-Jul-2023
https://dl.acm.org/doi/10.1145/3583133.3596362
Babaagba KAyodele M(2023)Evolutionary Based Transfer Learning Approach to Improving Classification of Metamorphic MalwareApplications of Evolutionary Computation10.1007/978-3-031-30229-9_11(161-176)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30229-9_11
Pham DMarion DMastio MHeuser A(2021)Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware ClassificationProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485894(706-719)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485894

Compression-based analysis of metamorphic malware
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Polymorphic and metamorphic malware detection
A framework for metamorphic malware analysis and real-time detection

Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...
Malware detection using adaptive data compression
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISec

A popular approach in current commercial anti-malware software detects malicious programs by searching in the code of programs for scan strings that are byte sequences indicative of malicious code. The scan strings, also known as the signatures of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image International Journal of Security and Networks

International Journal of Security and Networks Volume 10, Issue 2

July 2015

72 pages

ISSN:1747-8405

EISSN:1747-8413

Issue’s Table of Contents

Publisher

Inderscience Publishers

Geneva 15, Switzerland

Publication History

Published: 01 July 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Babaagba KWylie JSilva SPaquete L(2023)An Evolutionary based Generative Adversarial Network Inspired Approach to Defeating Metamorphic MalwareProceedings of the Companion Conference on Genetic and Evolutionary Computation10.1145/3583133.3596362(1753-1759)Online publication date: 15-Jul-2023
https://dl.acm.org/doi/10.1145/3583133.3596362
Babaagba KAyodele M(2023)Evolutionary Based Transfer Learning Approach to Improving Classification of Metamorphic MalwareApplications of Evolutionary Computation10.1007/978-3-031-30229-9_11(161-176)Online publication date: 12-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30229-9_11
Pham DMarion DMastio MHeuser A(2021)Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware ClassificationProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485894(706-719)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485894

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents