Skip to main content
SpringerLink
Log in

From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In this paper, we propose an original black-box approach concerning antivirus products evaluation. Contrary to classical tests focusing on detection rates concerning a specific malware sample, we use a generic metamorphic engine to observe the detection products behaviors. We believe that this point of view presents a double interest: First, it offers an original way of evaluating current antivirus products focusing on the observed detection technique. More precisely, the use of metamorphic malware guarantees the difficulty of static signature based detection techniques to focus only on heuristic and behavioral detection approaches. Second, by pointing out current detection capabilities, we practically evaluate the danger that complex metamorphic malware could represent. To achieve this goal, we start with the description of a generic metamorphic engine acting in two steps: obfuscation and modeling. Then, we apply this engine to a real mass-mailing worm and propose the resulting metamorphic malware samples to current antivirus products. The observed results lead to a classification of detection techniques in two main categories: the first one, relying on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of behavioral detection programs, mainly focuses on elementary suspicious actions. In all cases, no product was able to detect a global malware behavior. Consequently, we consider that metamorphic malware detection still represents a real challenge for antivirus products. Through this study, we hope to help defenders understand and defend against the threat represented by this class of malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aho A.V., Sethi R., Ullman J.D.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)

    Google Scholar 

  2. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of Obfuscating Programs. Crypto ’01, Lecture Notes in Computer Science, vol. 2139, pp. 1–18 (2001)

  3. Beaucamps, P., Filiol, É.: On the possibility of practically obfuscating programs—towards a unifed perspective of code protection. In: Bonfante, G., Marion, J.-Y. (eds.) WTCV’06 Special Issue. J. Comput. Virol. 2(4) (2006)

  4. Bonfante G., Kaczmarek M., Marion J.Y.: Architecture of morphological malware detector. J. Comput. Virol. 5(3), 263–270 (2008)

    Article  Google Scholar 

  5. Borello J.M., Mé L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008)

    Article  Google Scholar 

  6. Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Detection of Intrusions and Malware & Vulnerability Assessment. Lecture Notes in Computer Science, vol. 4064, pp. 129–143. Springer, Berlin (2006)

  7. Chomsky N.: Three models for the description of languages. IRE Trans. Inform. Theory 2, 113–124 (1956)

    Article  Google Scholar 

  8. Chomsky N.: On certain formal properties of grammars. Inform. Control 2, 137–167 (1959)

    Article  MATH  MathSciNet  Google Scholar 

  9. Christorodescu, M., Jha, S.: Static analysis of executable to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)

  10. Cohen, F.: Computer Viruses. PhD thesis, University of Southern California (1986)

  11. Collberg, C., Thomborson, C., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Principles of Programming Languages POPL98, pp. 184–196 (1998)

  12. Collberg, C., Thomborson, C., Low, D.: A Taxonomy of Obfuscating Transformations. Technical Report 148, University of Auckland, New Zealand (1997)

  13. Driller, T.M.: Metamorphism in Practice. 29A E-zine, vol. 6 (2002)

  14. Ferrie, P.: Un combate con el kernado. Virus Bulletin, pp. 8–9 (2002)

  15. Ferrie, P., Lee, T.: W32.mydoom.a@ mm. http://www.symantec.com/security_response/writeup.jsp?docid=2004-012612-5422-99&tabid=2 (2004)

  16. Filiol É.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1), 70–75 (2007)

    Google Scholar 

  17. Jacob G., Debar H., Filiol É.: Behavioral detection of malware: from a survey towards an established taxonomy. J. Comput. Virol. 4(3), 251–266 (2008)

    Article  Google Scholar 

  18. Jacob G., Debar H., Filiol É.: Functional polymorphic engines: formalisation, implementation and use cases. J. Comput. Virol. 5(3), 247–261 (2008)

    Article  Google Scholar 

  19. Kaspersky, E.: Darkparanoid—Who me? Virus Bulletin, pp. 8–9, January (1998)

  20. Lakhotia, A., Kapoor, A., Kumar, E.U.: Are metamorphic viruses really invincible? Virus Bulletin, pp. 5–7 (2004)

  21. Morin B., Mé L.: Intrusion detection and virology: an analysis of differences, similarities and complementariness. J. Comput. Virol. 3, 39–49 (2007)

    Article  Google Scholar 

  22. Preda, M.D., Christorodescu, M., Jha, S., Debray, S.: A Semantic-based approach to malware detection. In: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2007)

  23. Spinellis D.: Reliable identification of bounded-length viruses is NP-complete. IEEE Trans. Inform. Theory 49(1), 280–284 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  24. Szor P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005)

    Google Scholar 

  25. Tip F.: A survey of program slicing techniques. J. Program. Lang. 3, 121–189 (1995)

    Google Scholar 

  26. VX Heavens. http://vx.netlux.org

  27. Walenstein, A., Mathur, R., Chouchane, M., Lakhotia, A.: The design space of metamorphic malware. In: Proceedings of the 2nd International Conference on i-Warfare & Security (ICIW), pp. 241–248 (2007)

  28. Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term rewriting. In: SCAM 2006: The 6th IEEE Workshop Source Code Analysis and Manipulation, pp. 75–84 (2006)

  29. Ziv J., Lempel A.: A universal algorithm for sequential data compression. IEEE Trans. Inform. Theory 23(3), 337–343 (1977)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CELAR, BP 7419, 35 174, Bruz Cedex, France

    Jean-Marie Borello

  2. ESIEA, Operational Virology and Cryptology Lab., 53 000, Laval, France

    Éric Filiol

  3. SUPELEC, SSIR (EA 4039), Rennes, France

    Ludovic Mé

Authors
  1. Jean-Marie Borello
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Éric Filiol
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ludovic Mé
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jean-Marie Borello.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Borello, JM., Filiol, É. & Mé, L. From the design of a generic metamorphic engine to a black-box classification of antivirus detection techniques. J Comput Virol 6, 277–287 (2010). https://doi.org/10.1007/s11416-009-0136-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0136-2

Keywords

Search

Navigation