@InProceedings
{SCAM-2006:Walenstein-Mathur-,
  Author       = "Andrew Walenstein and Rachit Mathur and Mohamed R. Chouchane
                  and Arun Lakhotia",
  Title        = "Normalizing Metamorphic Malware Using Term Rewriting",
  BookTitle    = "Proceedings of the Sixth IEEE International Workshop on
                  Source Code Analysis and Manipulation (SCAM 2006)",
  Location     = "Philadelphia, PA, U.S.A.",
  ConfDate     = "Sep 27--29",
  Year         = "2006",
  Abstract     = "Metamorphic malware---including certain viruses and
                  worms---rewrite their code during propagation. This
                  paper presents a method for normalizing multiple variants
                  of metamorphic programs that perform their
                  transformations using finite sets of instruction-sequence
                  substitutions. The paper shows that the problem of
                  constructing a normalizer can, in specific contexts, be
                  formalized as a term rewriting problem.  A general method
                  is proposed for constructing normalizers. It involves
                  modeling the metamorphic program's transformations as
                  rewrite rules, and then modifying these rules to create a
                  normalizing rule set.  Casting the problem in terms of
                  term rewriting exposes key challenges for constructing
                  effective normalizers.  In cases where the challenges
                  cannot be met, approximations are proposed.  The
                  normalizer construction method is applied in a case study
                  involving the virus called ``W32.Evol''.  The results
                  demonstrate that both the overall approach and the
                  approximation schemes may have practical use on realistic
                  malware, and may thus have the potential to improve
                  signature-based malware scanners.",
   Notes =       "Best paper award",
}