Using engine signature to detect metamorphic malware
Proceedings of the 4th ACM workshop on Recurring malcode
Code Normalization for Self-Mutating Malware
IEEE Security and Privacy
Statistical signatures for fast filtering of instruction-substituting metamorphic malware
Proceedings of the 2007 ACM workshop on Recurring malcode
A semantics-based approach to malware detection
ACM Transactions on Programming Languages and Systems (TOPLAS)
Exploiting an antivirus interface
Computer Standards & Interfaces
Context-sensitive analysis of obfuscated x86 executables
Proceedings of the 2010 ACM SIGPLAN workshop on Partial evaluation and program manipulation
Detecting metamorphic malwares using code graphs
Proceedings of the 2010 ACM Symposium on Applied Computing
Malware detection using assembly code and control flow graph optimization
Proceedings of the 1st Amrita ACM-W Celebration on Women in Computing in India
Context-sensitive analysis without calling-context
Higher-Order and Symbolic Computation
Mining control flow graph as API call-grams to detect portable executable malware
Proceedings of the Fifth International Conference on Security of Information and Networks
Detecting machine-morphed malware variants via engine attribution
Journal in Computer Virology
LSB replacement steganography software detection based on model checking
IWDW'12 Proceedings of the 11th international conference on Digital Forensics and Watermaking
| Hi-index | 0.00 |
Metamorphic malware - including certain viruses and worms - rewrite their code during propagation. This paper presents a method for normalizing multiple variants of metamorphic programs that perform their transformations using finite sets of instruction-sequence substitutions. The paper shows that the problem of constructing a normalizer can, in specific contexts, be formalized as a term rewriting problem. A general method is proposed for constructing normalizers. It involves modeling the metamorphic program's transformations as rewrite rules, and then modifying these rules to create a normalizing rule set. Casting the problem in terms of term rewriting exposes key challenges for constructing effective normalizers. In cases where the challenges cannot be met, approximations are proposed. The normalizer construction method is applied in a case study involving the virus called"W32.Evolt". The results demonstrate that both the overall approach and the approximation schemes may have practical use on realistic malware, and may thus have the potential to improve signature-based malware scanners.