Qinghua Zhang
North Carolina State University
USA
Douglas Reeves
North Carolina State University
USA
Detection of malicious software (malware) by the use of static signatures is often criticized for being overly simplistic. Available methods of obfuscating code (so-called metamorphic malware) will invalidate the use of a fixed signature, without changing the harmful effects of the software. This paper presents a new approach for recognizing metamorphic malware. The method uses fully automated static analysis of executables to summarize and compare program semantics, based primarily on the pattern of library or system functions which are called.
The proposed method has been prototyped and evaluated using randomized benchmark programs, instances of known malware program variants, and utility software available in multiple releases. The results demonstrate three important capabilities of the proposed method: (a) it does well at identifying metamorphic variants of common malware; (b) it distinguishes easily between programs that are not related; and, (c) it can identify and detect program variations, or code reuse. Such variations can be due to insertion of malware (such as viruses) into the executable of a host program. We argue that this method of metamorphic code detection will be difficult for malware writers to bypass.
Keywords: metamorphic, semantics, malware, mutant, detection