Imposing Order on Program Statements to Assist Anti-Virus Scanners
WCRE '04 Proceedings of the 11th Working Conference on Reverse Engineering
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Normalizing Metamorphic Malware Using Term Rewriting
SCAM '06 Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation
Using engine signature to detect metamorphic malware
Proceedings of the 4th ACM workshop on Recurring malcode
Using file relationships in malware classification
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
VILO: a rapid learning nearest-neighbor classifier for malware triage
Journal in Computer Virology
Detecting machine-morphed malware variants via engine attribution
Journal in Computer Virology
Hi-index | 0.00 |
Introducing program variations via metamorphic transformations is one of the methods used by malware authors in order to help their programs slip past defenses. A method is presented for rapidly deciding whether or not an input program is likely to be a variant of a given metamorphic program. The method is defined for the prominent class of metamorphic engines that work by probabilistically selecting instruction-substituting program transformations. A model of the probabilistic engine is used to predictthe expected distribution of instruction forms for different generations ofvariants. These predicted distributions form a type of "statistical signature" for the output of the metamorphic engines. A classifier is defined based on distance between the observed and the predicted instruction form distributions. A case study using the W32.Evol virus shows the classifier can distinguish between malicious samples from multiple generations. The classification method may be useful for practical malware detection by serving as an inexpensive filter to avoid more in-depth analyses where they are unnecessary