Abstract
In this paper, we propose an original black-box approach concerning antivirus products evaluation. Contrary to classical tests focusing on detection rates concerning a specific malware sample, we use a generic metamorphic engine to observe the detection products behaviors. We believe that this point of view presents a double interest: First, it offers an original way of evaluating current antivirus products focusing on the observed detection technique. More precisely, the use of metamorphic malware guarantees the difficulty of static signature based detection techniques to focus only on heuristic and behavioral detection approaches. Second, by pointing out current detection capabilities, we practically evaluate the danger that complex metamorphic malware could represent. To achieve this goal, we start with the description of a generic metamorphic engine acting in two steps: obfuscation and modeling. Then, we apply this engine to a real mass-mailing worm and propose the resulting metamorphic malware samples to current antivirus products. The observed results lead to a classification of detection techniques in two main categories: the first one, relying on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of behavioral detection programs, mainly focuses on elementary suspicious actions. In all cases, no product was able to detect a global malware behavior. Consequently, we consider that metamorphic malware detection still represents a real challenge for antivirus products. Through this study, we hope to help defenders understand and defend against the threat represented by this class of malware.
Similar content being viewed by others
References
Aho A.V., Sethi R., Ullman J.D.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of Obfuscating Programs. Crypto ’01, Lecture Notes in Computer Science, vol. 2139, pp. 1–18 (2001)
Beaucamps, P., Filiol, É.: On the possibility of practically obfuscating programs—towards a unifed perspective of code protection. In: Bonfante, G., Marion, J.-Y. (eds.) WTCV’06 Special Issue. J. Comput. Virol. 2(4) (2006)
Bonfante G., Kaczmarek M., Marion J.Y.: Architecture of morphological malware detector. J. Comput. Virol. 5(3), 263–270 (2008)
Borello J.M., Mé L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)
Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Detection of Intrusions and Malware & Vulnerability Assessment. Lecture Notes in Computer Science, vol. 4064, pp. 129–143. Springer, Berlin (2006)
Chomsky N.: Three models for the description of languages. IRE Trans. Inform. Theory 2, 113–124 (1956)
Chomsky N.: On certain formal properties of grammars. Inform. Control 2, 137–167 (1959)
Christorodescu, M., Jha, S.: Static analysis of executable to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)
Cohen, F.: Computer Viruses. PhD thesis, University of Southern California (1986)
Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages POPL98, pp. 184–196 (1998)
Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations. Technical Report 148, University of Auckland, New Zealand (1997)
Driller, T.M.: Metamorphism in Practice. 29A E-zine, vol. 6 (2002)
Ferrie, P.: Un combate con el kernado. Virus Bulletin, pp. 8–9 (2002)
Ferrie, P., Lee, T.: W32.mydoom.a@ mm. http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99&tabid=2 (2004)
Filiol É.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1), 70–75 (2007)
Jacob G., Debar H., Filiol É.: Behavioral detection of malware: from a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)
Jacob G., Debar H., Filiol É.: Functional polymorphic engines: formalisation, implementation and use cases. J. Comput. Virol. 5(3), 247–261 (2008)
Kaspersky, E.: Darkparanoid—Who me? Virus Bulletin, pp. 8–9, January (1998)
Lakhotia, A., Kapoor, A., Kumar, E.U.: Are metamorphic viruses really invincible? Virus Bulletin, pp. 5–7 (2004)
Morin B., Mé L.: Intrusion detection and virology: an analysis of differences, similarities and complementariness. J. Comput. Virol. 3, 39–49 (2007)
Preda, M.D., Christorodescu, M., Jha, S., Debray, S.: A Semantic-based approach to malware detection. In: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2007)
Spinellis D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Trans. Inform. Theory 49(1), 280–284 (2003)
Szor P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)
Tip F.: A survey of program slicing techniques. J. Program. Lang. 3, 121–189 (1995)
VX Heavens. http://vx.netlux.org
Walenstein, A., Mathur, R., Chouchane, M., Lakhotia, A.: The design space of metamorphic malware. In: Proceedings of the 2nd International Conference on i-Warfare & Security (ICIW), pp. 241–248 (2007)
Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term rewriting. In: SCAM 2006: The 6th IEEE Workshop Source Code Analysis and Manipulation, pp. 75–84 (2006)
Ziv J., Lempel A.: A universal algorithm for sequential data compression. IEEE Trans. Inform. Theory 23(3), 337–343 (1977)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Borello, JM., Filiol, É. & Mé, L. From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques. J Comput Virol 6, 277–287 (2010). https://doi.org/10.1007/s11416-009-0136-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-009-0136-2