Evgenios Konstantinou (2008) Metamorphic Virus: Analysis and Detection.
Full text access: Open
Metamorphic viruses transform their code as they propagate, thus evading detection by static signature-based virus scanners, while keeping their functionality. They use code obfuscation techniques to challenge deeper static analysis and can also beat dynamic analyzers, such as emulators, by altering their behavior. To achieve this, metamorphic viruses use several metamorphic transformations, including register renaming, code permutation, code expansion, code shrinking, and garbage code insertion. In this thesis, an in-depth analysis of metamorphic viruses is presented, along with the techniques they use to transform their code to new generations. In order to give a better understanding of metamorphic viruses, a general discussion on malicious code and detection techniques is given first. Then, the description of several techniques to detect metamorphic viruses is given. A fair number of papers on metamorphic viruses exists in the literature, but no one is a complete discussion of all metamorphic techniques and detection methods. This thesis aims at a complete discussion of all metamorphic techniques used by virus writers so far, and all detection techniques implemented in antivirus products or still experimental. It accomplishes this by an in-depth research on malware and metamorphic viruses, through the existing literature. Due to space and time limitations, an exhaustive discussion was not possible in this thesis.
This is a Published version This version's date is: 15/01/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/bde3a9fe-51c0-a19a-e04d-b324c0926a4a/1/
Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] Alun Michael, Chris Poter, and Andrew Beard. Information securitybreaches survey 2006. Technical report, PriceWaterhouseCoopers, 2006.
[2] Symantec Security Response Team. Symantec internet security threatreport. Technical Report XI, Symantec Corporation, March 2007.
[3] Mihai Christodorescu and Somesh Jha. Static analysis of executablesto detect malicious patterns. In SSYM'03: Proceedings of the 12thconference on USENIX Security Symposium, pages 12{12, Berkeley,CA, USA, 2003. USENIX Association.
[4] Fred Cohen. Computer Viruses. PhD thesis, University of SouthernCalifornia, 1986.
[5] Darrell M. Kienzle and Matthew C. Elder. Recent worms: a surveyand trends. In WORM '03: Proceedings of the 2003 ACM workshop onRapid malcode, pages 1{10, New York, NY, USA, 2003. ACM Press.
[6] F. Cohen. Computer viruses: theory and experiments. Comput. Secur.,6(1):22{35, 1987.
[7] Peter Szor. The Art of Computer Virus Research and Defense. AddisonWesley Professional, 1 edition, February 2005.
[8] Roger A. Grimes. Malicious Mobile Code: Virus Protection for Win-dows. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 2001.
[9] Mark Ludwig. The Giant Black Book of Computer Viruses. AmericanEagle Publications, Inc, 1995.
[10] Fred Cohen. A formal de nition of computer worms and some relatedresults. Comput. Secur., 11(7):641{652, 1992.
[11] Dan Ellis. Worm anatomy and model. In WORM '03: Proceedings ofthe 2003 ACM workshop on Rapid malcode, pages 42{50, New York,NY, USA, 2003. ACM Press.
[12] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, StuartStaniford, and Nicholas Weaver. Inside the slammer worm. IEEE Se-curity and Privacy, 01(4):33{39, 2003.
[13] Eugene H. Spa ord. The internet worm program: an analysis. SIG-COMM Comput. Commun. Rev., 19(1):17{57, 1989.
[14] Sophos White Paper. Security threat report 2007. Technical report,Sophos, 2007.
[15] Thomas F. Sta ord and Andrew Urbaczewski. Spyware: The ghostin the machine. Communications of the Association for InformationSystems, 14:291{306, 2004.
[16] Sophos White Paper. Spyware: Securing gateway and endpoint againstdata theft. Technical report, Sophos, 2007.
[17] Symantec Security Response. Windows rootkit overview. Online.
[18] David Harley and Andrew Lee. The root of all evil? - rootkits revealed.Online.
[19] Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, HelenJ. Wang, and Jacob R. Lorch. Subvirt: Implementing malware withvirtual machines. In SP '06: Proceedings of the 2006 IEEE Symposiumon Security and Privacy (S&P'06), pages 314{327, Washington, DC,USA, 2006. IEEE Computer Society.
[20] Joanna Rutkowska and Alexander Tereshkin. Blue pill project.www.bluepillproject.org, 2007.
[21] Joanna Rutkowska. www.invisiblethings.org, 2006.
[22] Peter Szor. Virus analysis 1: Beast regards. Virus Bulletin, June 1999.
[23] Peter Szor and Peter Ferrie. Hunting for metamorphic. In Virus Bul-letin Conference, September 2001.
[24] Prabhat K. Singh and Arun Lakhotia. Analysis and detection of computerviruses and worms: an annotated bibliography. SIGPLAN Not.,37(2):29{35, 2002.
[25] Frederic Perriot and Peter Ferrie. Principles and practise of x-raying.In Virus Bulletin Conference, pages 51{56, September 2004.
[26] Malivanchuk Taras. Epo - what is next? Virus Bulletin, pages 8{9,March 2002.
[27] Kaspersky Labs. Kaspersky anti-virus engine technology. On-line, 2005.
[28] Peter Ferrie. Attacks on virtual machines. In AVAR Conference, pages128{143, December 2006.
[29] Fridrik Skulason. Virus encryption techniques. Virus Bulletin, pages13{16, November 1990.
[30] Peter Szor. Junkie memorial. Virus Bulletin, pages 6{8, September1997.
[31] Carey Nachenberg. Computer virus-antivirus coevolution. Commun.ACM, 40(1):46{51, 1997.
[32] Fridrik Skulason. 1260 - the variable virus. Virus Bulletin, page 12,March 1990.
[33] Peter Szor. The marburg situation. Virus Bulletin, pages 8{10, November1998.
[34] Ruo Ando, Nguyen Anh Quynh, and Yoshiyasu Takefuji. Resolutionbased metamorphic computer virus detection using redundancy controlstrategy. In WSEAS Conference, Tenerife, Canary Islands, Spain,December 2005.
[35] Mohamed R. Chouchane and Arun Lakhotia. Using engine signatureto detect metamorphic malware. In WORM '06: Proceedings of the 4thACM workshop on Recurring malcode, pages 73{78, New York, NY,USA, 2006. ACM Press.
[36] Arun Lakhotia, Aditya Kapoor, and Eric Uday Kumar. Are metamorphiccomputer viruses really invisible? part 1. Virus Bulletin, pages5{7, December 2004.
[37] Zhihong Zuo, Qing-xin Zhu, and Ming-tian Zhou. On the time complexityof computer viruses. IEEE Transactions on information theory,51(8):2962{2966, August 2005.
[38] Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane R.Chouchane, and Arun Lakhotia. The design space of metamorphicmalware. In Proceedings of the 2nd International Conference on Infor-mation Warfare, March 2007.
[39] Peter Szor. The new 32-bit medusa. Virus Bulletin, pages 8{10, December2000.
[40] Rodelio G. Finones and Richard t. Fernandez. Solving the metamorphicpuzzle. Virus Bulletin, pages 14{19, March 2006.
[41] Myles Jordan. Dealing with metamorphism. Virus Bulletin, pages 4{6,Octomber 2002.
[42] Peter Ferrie and Peter Szor. Zmist oportunities. Virus Bulletin, pages6{7, March 2001.
[43] Frederic Perriot, Peter Szor, and Peter Ferrie. Striking similarites:Win32/simile and metamorphic virus code. Technical report, Symantec,2003.
[44] Frederic Perriot. Linux.simile. www.symantec.com, February 2007.
[45] Arun Lakhotia and Prabhat K. Singh. Challenges in getting 'formal'with viruses. Virus Bulletin, pages 15{19, September 2003.
[46] Ferdinand Wagner, Ruedi Schmuki, Thomas Wagner, and Peter Wolstenholme.Modeling Software with Finite State Machines: A PracticalApproach. Number 0-8493-8086-3. Taylor & Francis Group, LLC, 1edition, 2006.
[47] Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detectingself-mutating malware using control-ow graph matching. In DIMVA,pages 129{143, 2006.
[48] MattWebster and Grant Malcolm. Detection of metamorphic computerviruses using algebraic speci cation. Journal in Computer Virology,2(3):149{161, December 2006. DOI: 10.1007/s11416-006-0023-z.
[49] Jose Meseguer and Grigore Rosu. The rewriting logic semantics project.Theor. Comput. Sci., 373(3):213{237, 2007.
[50] Wing Wong and Mark Stamp. Hunting for metamorphic engines. Jour-nal in Computer Virology, 2(3):211{229, 2006.
[51] Arun Lakhotia and Moinuddin Mohammed. Imposing order on programstatements to assist anti-virus scanners. In WCRE '04: Proceedingsof the 11th Working Conference on Reverse Engineering (WCRE'04),pages 161{170, Washington, DC, USA, 2004. IEEE Computer Society.
[52] McAfee. Mcafee virtual criminology report. Technical report, McAfee,Inc, July 2005.
[53] Sophos. Security threat report. update 07/2007. Technical report,Sophos, July 2007.
[54] Peter Szor. Personal Communcations, August 2007.
[55] Symantec Security Response Team. Symantec internet security threatreport. Technical Report X, Symantec Corporation, September 2006.
[56] Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane, andArun Lakhotia. Normalizing metamorphic malware using term rewriting.In SCAM '06: Proceedings of the Sixth IEEE International Work-shop on Source Code Analysis and Manipulation, pages 75{84, Washington,DC, USA, 2006. IEEE Computer Society.
[57] Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T.Chong. On deriving unknown vulnerabilities from zero-day polymorphicand metamorphic worm exploits. In Proceedings of the 12th ACMConference on Computer and Communications Security (CCS), pages235{248, November 2005.
[58] Moinuddin Mohammed and Arun Lakhotia. A method to detect metamorphiccomputer viruses. The IEEE Computer Society's Student Mag-azine, 10(1):24{36, 2003.