Detecção de variações de malware metamórfico por meio de normalização de código e identificação de subfluxos
Abstract
This paper presents a methodology to identify metamorphic malware. The file code is normalized and subdivided in code segments (tokens) delimited by changes in program flow. The combination of each token identifier with the two following ones generates a set of flow identifiers used to measure the similarity to a previously mapped malware code. The results show that proposed methodology is able to accurately identify the presence of metamorphic code.
References
Andrew, W., Mathur, R., Chouchane, M. R. e Lakhotia, A. (2006), “Normalizing Metamorphic Malware Using Term Rewriting”, Center for Advanced Computer Studies, University of Louisiana at Lafayette.
Batista, E. M. (2008) “ASAT: uma ferramenta para detecção de novos vírus”, Universidade Federal de Pernambuco.
Borello, J. e Mé, L. (2008) “Code obfuscation techniques for metamorphic viruses”, Journal in Computer Virology, volume 4, número 3.
Bruschi, D. Martignoni, L. Monga, M. (2007) "Code Normalization for Self-Mutating Malware", IEEE Security & Privacy, volume 5, número 2.
Christodorescu, M. Jha, S. Kinder, J. Katzenbeisser, S. Veith, H. (2007) “Software Transformations to Improve Malware Detection”, Journal in Computer Virology, número 3, páginas 253 – 265.
Hex-Rays. (2011) “IDA Pro”, http://www.hex-rays.com/products/ida/index.shtml.
Kim, K. e Moon, B. (2010) “Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm”, Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation.
Moura, A. V. e Rebiha, R. (2009) “Automated Malware Invariant Generation”, International Conference on Forensic Computer Science (ICoFCS).
Notoatmodjo, G. (2010) “Detection of Self-Mutating Computer Viruses”, [link], Department of Computer Science, University of Auckland, New Zealand.
OllyDbg. (2011) “OllyDbg”, http://www.ollydbg.de.
Rad, B. B. e Masrom, M. (2010) “Metamorphic Virus Variants Classification Using Opcode Frequency Histogram”, Latest Trends on Computers, volume 1.
Schultz, M. G. Eleazar, E. Erez, Z. Salvatore, J. S. (2001) “Data mining methods for detection of new malicious executables”, Proceedings of the 2001 IEEE Symposium on Security and Privacy, páginas 38–49.
Skoudis, E. (2004) “Malware: Fighting Malicious Code”, Prentice-Hall, 2004 SorceForge. (2011) “Bastard”, http://sourceforge.net/projects/bastard/.
Symantec. (2007) “W32.Evol”, [link].
Schallner, M. (2004) “LIDA”, http://lida.sourceforge.net/.
Virus Total. (2011) “Virus Total”, http://www.virustotal.com/en/virustotalf.html.
Batista, E. M. (2008) “ASAT: uma ferramenta para detecção de novos vírus”, Universidade Federal de Pernambuco.
Borello, J. e Mé, L. (2008) “Code obfuscation techniques for metamorphic viruses”, Journal in Computer Virology, volume 4, número 3.
Bruschi, D. Martignoni, L. Monga, M. (2007) "Code Normalization for Self-Mutating Malware", IEEE Security & Privacy, volume 5, número 2.
Christodorescu, M. Jha, S. Kinder, J. Katzenbeisser, S. Veith, H. (2007) “Software Transformations to Improve Malware Detection”, Journal in Computer Virology, número 3, páginas 253 – 265.
Hex-Rays. (2011) “IDA Pro”, http://www.hex-rays.com/products/ida/index.shtml.
Kim, K. e Moon, B. (2010) “Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm”, Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation.
Moura, A. V. e Rebiha, R. (2009) “Automated Malware Invariant Generation”, International Conference on Forensic Computer Science (ICoFCS).
Notoatmodjo, G. (2010) “Detection of Self-Mutating Computer Viruses”, [link], Department of Computer Science, University of Auckland, New Zealand.
OllyDbg. (2011) “OllyDbg”, http://www.ollydbg.de.
Rad, B. B. e Masrom, M. (2010) “Metamorphic Virus Variants Classification Using Opcode Frequency Histogram”, Latest Trends on Computers, volume 1.
Schultz, M. G. Eleazar, E. Erez, Z. Salvatore, J. S. (2001) “Data mining methods for detection of new malicious executables”, Proceedings of the 2001 IEEE Symposium on Security and Privacy, páginas 38–49.
Skoudis, E. (2004) “Malware: Fighting Malicious Code”, Prentice-Hall, 2004 SorceForge. (2011) “Bastard”, http://sourceforge.net/projects/bastard/.
Symantec. (2007) “W32.Evol”, [link].
Schallner, M. (2004) “LIDA”, http://lida.sourceforge.net/.
Virus Total. (2011) “Virus Total”, http://www.virustotal.com/en/virustotalf.html.
Published
2012-11-19
How to Cite
COZZOLINO, Marcelo F. et al.
Detecção de variações de malware metamórfico por meio de normalização de código e identificação de subfluxos.
Proceedings of the Brazilian Symposium on Information and Computational Systems Security (SBSeg), [S.l.], p. 30-43, nov. 2012.
ISSN 0000-0000.
Available at: <https://sol.sbc.org.br/index.php/sbseg/article/view/20534>. Date accessed: 18 may 2024.
doi: https://doi.org/10.5753/sbseg.2012.20534.
Issue
Section
Full Papers
