Abstract
Metamorphic malware are self-modifying programs which apply semantic preserving transformations to their own code in order to foil detection systems based on signature matching. Metamorphism impacts both software security and code protection technologies: it is used by malware writers to evade detection systems based on pattern matching and by software developers for preventing malicious host attacks through software diversification. In this paper, we consider the problem of automatically extracting metamorphic signatures from the analysis of metamorphic malware variants. We define a metamorphic signature as an abstract program representation that ideally captures all the possible code variants that might be generated during the execution of a metamorphic program. For this purpose, we developed MetaSign: a tool that takes as input a collection of metamorphic code variants and produces, as output, a set of transformation rules that could have been used to generate the considered metamorphic variants. MetaSign starts from a control flow graph representation of the input variants and agglomerates them into an automaton which approximates the considered code variants. The upper approximation process is based on the concept of widening automata, while the semantic preserving transformation rules, used by the metamorphic program, can be viewed as rewriting rules and modeled as grammar productions. In this setting, the grammar recognizes the language of code variants, while the production rules model the metamorphic transformations. In particular, we formalize the language of code variants in terms of pure context-free grammars, which are similar to context-free grammars with no terminal symbols. After the widening process, we create a positive set of samples from which we extract the productions of the grammar by applying a learning grammar technique. This allows us to learn the transformation rules used by the metamorphic engine to generate the considered code variants. We validate the results of MetaSign on some case studies.
Highlights
The rest of this paper is organized as follows: in Sect. 2 we discuss some related works, Sect. 3 presents background concepts used in the rest of the paper, Sect. 4 explains our approach towards capturing metamorphic signatures, Sect. 5 describes the implementation details of MetaSign, in Sect. 6 we present some results and consideration applied to three case studies, in Sect. 7 we discuss benefit, drawbacks and future directions of our approach
The third reason consists in the way we can populate a set of input test: the metamorphic engine implemented in MetaSign allows us to create numerous variants according the engine
We tried to capture the behavior of the metamorphic engine itself, namely we tried to find a set of rules that allow us to predict possible mutations of code variants starting from a set of examples
Summary
Encryption [4] is one of the simplest methods employed by malware writers to avoid detection. It is based on two main sections: the main body, known as the payload, and a decryption loop which is responsible of the encryption and decryption of the payload. Oligomorphism [5] is an advanced form of encryption: it contains a collection of different decryption routines that are randomly chosen for every new infection. This ensures that the decryption code varies among the different malware instances. The difference stems in the unlimited number of encryption methods that allow us to generate an endless sequence of decryption patterns
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
