home who we are what we do publications
 

Metamorphic Malware

Metamorphic Malware

Related publications

  1. Using Markov Chains to Filter Machine-morphed Variants of Malicious Programs,
    Proceedings of the 3rd International Conference on Malicious and Unwanted Software (Malware'08) [to appear], 2008.
  2. Metamorphic Authorship Recognition Using Markov Models,
    Virus Bulletin, 2008.
  3. The Design Space of Metamorphic Malware,
    Proceedings of the 2nd International Conference on Information Warfare, 2007.
  4. Using Engine Signature to Detect Metamorphic Malware,
    Proceedings of the Fourth ACM Workshop on Rapid Malcode (WORM), pp.73-78, 2006.
  5. Are Metamorphic Viruses Really Invincible? Part 1,
    Virus Bulletin, pp.5-7, 2004.
  6. Are Metamorphic Viruses Really Invincible? Part 2,
    Virus Bulletin, pp.9-12, 2005.

Metamorphic malware change as they reproduce or propagate, making it difficult to find consistent patterns in the variants. This, in turn, makes it challenging to recognize and stop the programs. We are seeking to develop a theoretical understand various classes of metamorphic malware, and to develop sound techniques for managing metamorphism.

Research in this area includes:

  • A better theoretical understanding of metamorphic programs and their powers. We are presently developing a classification system for malware that seeks to organize them according to the theoretical powers each class has for obfuscation; this is also expected to lead to better threat models.
  • Theory-guided methods for handling malware given the understood threat models.

Normalizing Malware: The "Unmorph" Project

Related publications

  1. Constructing malware normalizers using term rewriting,
    Journal in Computer Virology, (to appear), 2008.
  2. Normalizing Metamorphic Malware Using Term Rewriting,
    Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation (SCAM 2006), 2006.
  3. Imposing Order on Program Statements To Assist Anti-Virus Scanners,
    Proceedings of the 11th IEEE Working Conference on Reverse Engineering, pp.161-170, 2004.

One class of metamorphic programs are those that perform only semantics-preserving transformations of their own code such that they can be characterized by a conditional term rewriting system. We have shown that once the metamorphic "engine" (i.e., transformation engine) is modeled it is frequently possible to either automatically or semi-automatically build a normalizer for that engine. These normalizers are proven to never create false positive or negative matches. We have also shown that certain approximations may be possible, making the normalization process much more efficient at the cost of some false negatives. A prototype term-rewriting normalizer was constructed using TXL, and a case study illustrated the feasibility of the approach using the W32/Evol worm as a subject.