Code obfuscation techniques for metamorphic viruses

Borello, Jean-Marie; Mé, Ludovic

doi:10.1007/s11416-008-0084-2

Cited by 149 publications

(116 citation statements)

References 16 publications

Supporting

Mentioning

110

Contrasting

Unclassified

Order By: Relevance

“…Our approach could easily be combined with current signature-evading techniques such as metamorphic viruses [34]. By doing so, AutoShadow could be able to evade both signaturebased and behavior-based malware detector.…”

Section: Discussionmentioning

confidence: 99%

Shadow attacks: automatically evading system-call-behavior based malware detection

Duan

Liu

et al. 2011

J Comput Virol

View full text Add to dashboard Cite

Abstract. Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, we present a new class of attacks, namely "shadow attacks", to evade current behaviorbased malware detectors by partitioning one piece of malware into multiple "shadow processes". None of the shadow processes contains a recognizable malicious behavior specification known to single-process-based malware detectors, yet those shadow processes as an ensemble can still fulfill the original malicious functionality. To demonstrate the feasibility of this attack, we have developed a compiler-level prototype tool, AutoShadow, to automatically generate shadow-process version of malware given the source code of original malware. Our preliminary result has demonstrated the effectiveness of shadow attacks in evading several behavior-based malware analysis/detection solutions in real world. With the increasing adoption of multi-core computers and multi-process programs, malware writers may exploit more such shadow attacks in the future. We hope our preliminary study can foster more discussion and research to improve current generation of behavior-based malware detectors to address this great potential threat before it becomes a security problem of the epidemic proportions.

show abstract

Section: Discussionmentioning

confidence: 99%

Shadow attacks: automatically evading system-call-behavior based malware detection

Duan

Liu

et al. 2011

J Comput Virol

View full text Add to dashboard Cite

show abstract

“…By obfuscating repeatedly, two copies from the same malware will be quite different and most of current detection methods fail to completely identify such every-increasingly stealth metamorphic malware. The obfuscation techniques can be divided in two types, data flow obfuscation (junk or dead code insertion, variable or register substitution, instruction replacement or permutation) and control flow obfuscation [8].…”

Section: Metamorphismmentioning

confidence: 99%

Short Review on Metamorphic Malware Detection in Hidden Markov Models

Ling¹,

Sani

2017

IJARCSSE

View full text Add to dashboard Cite

Abstract-Metamorphic malware is well known for evading signature-based detection. To cope up with numerous malware which can emerge easily by using open source malware generator, efficient detection in terms of accuracy and runtime performance shall be considered during analysis. Detection strategies such as data mining combine with machine learning have been used by researchers for heuristically detecting malware. In this paper, we present Hidden Markov Model as an efficient metamorphic malware detection tool by exploring the common obfuscation techniques used in malware while reviewing and comparing the different studies that adopt HMM as a detection tool.

show abstract

“…The reason for this change is quite simple: Traditional detection signatures, built upon fragments of executable code extracted from malicious samples, characterise a specific malware type on a syntactic level. However, syntactic features are relatively easy to obscure or modify, as also pointed out by Moser et al [1], mainly by techniques of encryption, packing [2], [3], [4], polymorphism, metamorphism, and code obfuscation, implemented on control-flow or data-flow of a program [5].…”

Section: Introductionmentioning

confidence: 99%

High-Level Malware Behavioural Patterns: Extractability Evaluation

Stastna

Tomášek

2017

Proceedings of the 2017 Federated Conference on Computer Science and Information Systems

View full text Add to dashboard Cite

Abstract-Many promising malware research projects focus on malware behaviour analysis, however, in the end they tend to build new detection systems and stick to measuring detection ratios. Our approach focuses on malware behavioural analysis for defining (characterising) malicious software on rather high level of abstraction, in order to break the endless cycle of evolving malware and malware analysts trying to catch up on new threats. As our research outlines, even such high-level behavioural information as numbers of occurrences of some behavioural events, can be successfully extracted from program samples and interpreted for extraction of repeating behavioural patterns. While this may seem simple at the first glance, there are plenty variables entering the process of behavioural data acquisition and pattern extraction.

show abstract

Code obfuscation techniques for metamorphic viruses

Cited by 149 publications

References 16 publications

Shadow attacks: automatically evading system-call-behavior based malware detection

Shadow attacks: automatically evading system-call-behavior based malware detection

Short Review on Metamorphic Malware Detection in Hidden Markov Models

High-Level Malware Behavioural Patterns: Extractability Evaluation

Contact Info

Product

Resources

About