Metamorphic Malware Analysis and Detection Methods

Metamorphic Malware Analysis and Detection Methods

P. Vinod (Malaviya National Institute of Technology, India), V. Laxmi (Malaviya National Institute of Technology, India) and M.S. Gaur (Malaviya National Institute of Technology, India)
DOI: 10.4018/978-1-60960-123-2.ch013
OnDemand PDF Download:
List Price: $37.50


The term ‘malware’ is collectively used for any program which accesses the system through surreptitious (often unauthorized) means, with malicious intent, resulting in data loss and/or corruption. Some examples are viruses, worms, trojans, botnets etc. Malware is becoming a world-wide epidemic as one infected computer system may compromise all networked systems. Millions of computers connected to the Internet exchange useful data and information and are exposed to malware threats. Malware programs may apply different techniques for unauthorized access, but all of them compromise the system in one way or another. In order to protect from the threats imposed by the malware, we need to understand the techniques used by them in exploiting system vulnerabilities and build an effective detection system. This contribution chapter surveys various malware types, infection mechanisms, detection techniques and metamorphic viruses. This chapter also presents a Longest Common Subsequence (LCS) based methodology for metamorphic malware detection.
Chapter Preview

1. Early Malware

Computer viruses were the earliest malware. A virus spreads by attaching itself to a host program. A typical virus consists of three parts – infection mechanism, triggering mechanism and payload insertion. Pseudo code of a virus illustrating these three components is shown in Figure 1(a). The virus first searches for infectable data/device on the victim machine. If trigger returns ‘true’, payload is delivered. The malicious payload performs intentional or unintentional damage to the host application or machine.

Figure 1.

(a) Pseudo code of computer virus and (b) infection mechanism of the virus

1. 1 Boot−Sector Infector

When the machine is powered on, ROM based BIOS performs “power on self test” and searches for boot device. Once the boot device is identified, BIOS reads boot block(s) and transfers control to the code in the boot block code. This step is called the primary boot. The primary boot loads secondary boot code which understands the file system structure. This secondary boot code is responsible for loading the operating system kernel.

A boot sector infector (BSI) virus infects the boot block. BSI relocates the original boot block to a specific location and the boot block is replaced by the virus code. After infection, control is transferred to the boot block so as to avoid any suspicion of infection. Choosing a specific location for relocating boot block can pose problems as the same location can be selected by other viruses.

1. 2 File−Infectors

A file infector infects the executable files. Following are the locations in the host program where the file infector inserts the viral code.

  • Beginning of File: The file infector copies the viral code at the beginning of the host program. Whenever the file is loaded, the virus code is executed after execution of the actual program. Each time the virus infects an executable file, it inserts markers at specific locations. This helps the virus from ignoring previously infected files. Such viruses are also called as prepending viruses (Aycock, 2006).

  • End of the file: A virus that attaches itself to the end of a file is called appending virus (Aycock, 2006). The file header contain the entry point of the program. The virus modifies this entry point with a jump to the virus code. After execution of viral code, control is transferred to the original code.

  • Over write file: Viruses which add code to a host program can be detected by monitoring the file size of uninfected code. To escape detection, virus inserts code in either (a) repeated contents or (b) unallocated space created by file system of the host program. Some overwriting file viruses compress part of file and insert the viral code along with the decompression module. These viruses do not have space overheads like appending and prepending viruses.

  • Inserted inside the file: Some viruses interweave their code inside the target program. After the insertion, the data locations, branch targets and linker relocation information are also updated.

1. 3 Companion Virus

A companion virus is a ‘self replicating’ virus. These viruses infect the host file without modifying its contents. Instead, such viruses share the same name as the target file and place themselves in the search path of the target file. In this way, the virus is executed before the target file. If the target file to be located is abc. exe, the operating system would search for abc. com, abc. exe, abc. bat in that order. If virus creates a file with same name having . com extension, it is executed before the original file.

Complete Chapter List

Search this Book: