Abstract
Metamorphic computer viruses “mutate” by changing their internal structure and, consequently, different instances of the same virus may not exhibit a common signature. With the advent of construction kits, it is easy to generate metamorphic strains of a given virus. In contrast to standard hidden Markov models (HMMs), profile hidden Markov models (PHMMs) explicitly account for positional information. In principle, this positional information could yield stronger models for virus detection. However, there are many practical difficulties that arise when using PHMMs, as compared to standard HMMs. PHMMs are widely used in bioinformatics. For example, PHMMs are the most effective tool yet developed for finding family related DNA sequences. In this paper, we consider the utility of PHMMs for detecting metamorphic virus variants generated from virus construction kits. PHMMs are generated for each construction kit under consideration and the resulting models are used to score virus and non-virus files. Our results are encouraging, but several problems must be resolved for the technique to be truly practical.
Similar content being viewed by others
References
Attaluri, S.: Profile hidden Markov models for metamorphic virus analysis, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/Srilatha_cs298Report.pdf
“Benny/29A”, Theme: metamorphism. http://www.vx.netlux.org/lib/static/vdat/epmetam2.htm
Bilar, D.: Statistical structures: fingerprinting malware for classification and analysis. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf
Borello, J.-M., Mé, L.: Code obfuscation techniques for metamorphic viruses. Journal in Computer Virology (2008, to appear)
Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware, Proceedings of the International Symposium of Secure Software Engineering, ISSSE, Arlington, Virginia, USA, March 2006
Chiueh, T.-C.: A look at current malware problems and their solutions. http://www.cs.sjsu.edu/~stamp/IACBP/IACBP08/Tzicker%20Chiueh/2008.ppt
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. http://www.cs.arizona.edu/~collberg/Research/Publications/CollbergThomborsonLow97a/index.html
Durbin R., Eddy S., Krogh A., Mitchison G. (1988) Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, Cambridge
Eddy S.R. (1998) Profile hidden Markov models. Bioinformatics 14(9): 755–763
Feng D.-F., Doolittle R.F. (1987) Progressive sequence alignment as a prerequisite to correct phylogenetic trees. J. Mol. Biol. Evol. 13: 93–104
Ferrie, P.: Look at that escargot, Virus Buletin, December 2004, pp. 4–5. http://pferrie.tripod.com/papers/gastropod.pdf
Ferrie, P.: Hidan and dangerous, Virus Bulletin, March 2007, pp. 14–19
Filiol E. (2007) Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2(1): 70–75
Fiñones, R.G., Fernandez, R.: Solving the metamorphic puzzle, Virus Bulletin, March 2006, pp. 14–19
Forrest, S.: Computer immune systems. http://www.cs.unm.edu/~immsec/papers.htm
Jordan, M.: Anti-virus research—dealing with metamorphism, Virus Bulletin, October 2002. http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=48051
Khuri, S.: Hidden Markov models, lecture notes. http://www.cs.sjsu.edu/faculty/khuri/Bio_CS123B/Markov.pdf
Krogh, A.: An introduction to hidden Markov models for biological sequences, Center for Biological Sequence Analysis, Technical University of Denmark, 1988
Marinescu, A.: An analysis of Simile, SecurityFocus.com, March 2003. http://www.securityfocus.com/infocus/1671
McAfee J., Haynes C. (1989) Computer Viruses, Worms, Data Diddlers, Killer Programs and Other Threats to Your System. St. Martin’s Press, New York
McGhee, S.: Pairwise alignment of metamorphic computer viruses, M.S. report, Department of Computer Science, San Jose State University, 2007. http://www.cs.sjsu.edu/faculty/stamp/students/mcghee_scott.pdf
Mount D.W. (2004) Bioinformatics: sequence and genome analysis. Cold Spring Harbor Laboratory, New York
Munro, J.: Antivirus research and detection techniques, Extreme Tech, July 2002. http://findarticles.com/p/articles/mi_zdext/is_200207/ai_ziff28916
OpenRCE.org, The molecular virology of lexotan32: metamorphism illustrated, August 2007. http://www.openrce.org/articles/full_view/29
Orr, The viral Darwinism of W32.Evol: An in-depth analysis of a metamorphic engine, 2006. http://www.antilife.org/files/Evol.pdf
Orr, The molecular virology of Lexotan32: Metamorphism illustrated, 2007. http://www.antilife.org/files/Lexo32.pdf
Polk, W.T., Bassham, L.E., Wack, J.P., Carnahan, L.J.: Anti-virus Tools and Techniques for Computer Systems, Noyes Data Corporation (1995)
Prim’s Algorithm, http://en.wikipedia.org/wiki/Prim%27s_algorithm
Rabiner L.R. (1989) A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2): 257–286
Stamp, M.: A revealing introduction to hidden Markov models, January 2004. http://www.cs.sjsu.edu/faculty/stamp/RUA/HMM.pdf
Stamp M. (2005) Information Security: Principles and Practice. Wiley-Interscience, New York
Symantec, http://www.symantec.com/security_response/writeup.jsp?docid=2000-122010-0045-99&tabid=2
Szor P. (2005) The Art of Computer Virus Defense and Research. Symantec Press, Cupertino
Szor, P., Ferrie, P.: Hunting for metamorphic, Symantec Security Response. http://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
VXHeavens, http://vx.netlux.org/
Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term rewriting, Proceedings of the International Workshop on Source Code Analysis and Manipulation (SCAM), IEEE CS Press, September 2006, pp. 75–84
Wikipedia, http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
Wong W., Stamp M. (2006) Hunting for metamorphic engines. J. Comput. Virol. 2(3): 211–219
ZDNet, Ex-virus writer questioned over Slammer. http://news.zdnet.co.uk/security/0,1000000189,39175383,00.htm
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Attaluri, S., McGhee, S. & Stamp, M. Profile hidden Markov models and metamorphic virus detection. J Comput Virol 5, 151–169 (2009). https://doi.org/10.1007/s11416-008-0105-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0105-1