Special Offers
- IGI Global’s New Emerging Topic e-Book Collections
  Acquire highly focused and affordable Cutting-Edge Peer-Reviewed Research Content through a selection of 17 topic-focused e-Book Collections discounted up to 90%, compared to list prices. Collection topics include Artificial Intelligence, Data Science, Language Learning, Marketing and Customer Relations, Sustainability, and many more. Hosted on the InfoSci^® platform, these collections feature no DRM, no additional cost for multi-user licensing, no embargo of content, full-text PDF & HTML format, and more.
  Learn More
- Open Access Book (Free Access) - Encyclopedia of Information Science and Technology, Sixth Edition (ISBN: 9781668473665)
  The Encyclopedia of Information Science and Technology, Sixth Edition) continues the legacy set forth by the first five editions by providing comprehensive coverage and up-to-date definitions of the most important issues, concepts, and trends pertaining to technological advancements and information management within a variety of settings and industries. The entire book is being published under open access.
  Read Now
- Open Access Book (Free Access) - Food Sustainability, Environmental Awareness, and Adaptation and Mitigation Strategies for Developing Countries (ISBN: 9781668456293)
  Food Sustainability, Environmental Awareness, and Adaptation and Mitigation Strategies for Developing Countries provides information on the recent technology, mitigation, and environmental protection that must be applied for food sustainability in developing countries. This book is being published under Platinum Open Access through funding from Diponegoro University, Indonesia.
  Read Now
- Open Access Book (Free Access) - New Models of Higher Education: Unbundled, Rebundled, Customized, and DIY (ISBN: 9781668438091)
  The Walmart Corporation and the Lumina Foundation have provided funding to make New Models of Higher Education: Unbundled, Rebundled, Customized, and DIY fully open access, completely removing any paywall between scholars in education and the latest research on new models for the future of higher education.
  Read Now
- Open Access Book (Free Access) - Handbook of Research on the Global View of Open Access and Scholarly Communications (ISBN: 9781799898054)
  Through a collaboration between IGI Global and the University of North Texas, the Handbook of Research on the Global View of Open Access and Scholarly Communications has been published as fully open access, completely removing any paywall between researchers of any field, and the latest research on the equitable and inclusive nature of Open Access and all of its complications.
  Read Now
Books
- - Books by Subject
  - Business, Administration, & Management
  - Scientific, Technical, & Medical (STM)
  - Education
  - Books by Field
Journals
- - Journals
  - OnDemand Journal Articles
  - Journals by Subject
  - Business, Administration, & Management
  - Scientific, Technical, & Medical (STM)
  - Education
  - Journals by Field
e-Collections
Open Access
- View All Open Access Opportunities
  Search across all of IGI Global’s available open access publishing opportunities to unleash your research potential.
  Find an Open Access Journal for Your Next Manuscript
  Search across all of IGI Global’s available open access publishing opportunities to unleash your research potential.
  Submit an Open Access Book Proposal
  Learn more about open access book publishing and how it can propel your research forward in the field.
  Convert Your Work to Open Access
  Already published? You can convert your work to open access to increase its impact through IGI Global’s Restrospective Open Access Program.
  Utilize Open Access Collection Database
  Open up your research potential by utilizing our open access content or integrating the open access collection into your library
  Consider Open Access Agreements
  For Libraries: consider no-cost or investment-level open access agreements with IGI Global to support your faculty's research endeavors.
  Search Funding Resources
  Looking for additional funding resources to support your open accesss endeavors? View industry resources compiled by our open access team.
  Review Open Access Policies & Ethical Guidelines
  Considering IGI Global to publish your work under open access? Review IGI Global’s open access policies and ethical guidelines
Publish with Us
Resources
- - Instructors
  - Course Adoption
  - Teaching Cases
  - K-12 Online Learning Collection
  - Authors and Editors
  - eEditorial Discovery^® System
  - Peer Review Process
  - Ethics and Malpractice
  - COPE Membership
  - Fair Use Policy
  - Open Access Publishing
  - FAQ
Catalogs
About Us
Newsroom

Metamorphic Malware Analysis and Detection Methods

P. Vinod, V. Laxmi, M.S. Gaur

Source Title: Cyber Security, Cyber Crime and Cyber Forensics: Applications and Perspectives

DOI: 10.4018/978-1-60960-123-2.ch013

OnDemand:

(Individual Chapters)

Available

$37.50

Current Special Offers

No Current Special Offers

Abstract

The term ‘malware’ is collectively used for any program which accesses the system through surreptitious (often unauthorized) means, with malicious intent, resulting in data loss and/or corruption. Some examples are viruses, worms, trojans, botnets etc. Malware is becoming a world-wide epidemic as one infected computer system may compromise all networked systems. Millions of computers connected to the Internet exchange useful data and information and are exposed to malware threats. Malware programs may apply different techniques for unauthorized access, but all of them compromise the system in one way or another. In order to protect from the threats imposed by the malware, we need to understand the techniques used by them in exploiting system vulnerabilities and build an effective detection system. This contribution chapter surveys various malware types, infection mechanisms, detection techniques and metamorphic viruses. This chapter also presents a Longest Common Subsequence (LCS) based methodology for metamorphic malware detection.

Chapter Preview

Top

1. Early Malware

Computer viruses were the earliest malware. A virus spreads by attaching itself to a host program. A typical virus consists of three parts – infection mechanism, triggering mechanism and payload insertion. Pseudo code of a virus illustrating these three components is shown in Figure 1(a). The virus first searches for infectable data/device on the victim machine. If trigger returns ‘true’, payload is delivered. The malicious payload performs intentional or unintentional damage to the host application or machine.

Figure 1.

(a) Pseudo code of computer virus and (b) infection mechanism of the virus

1. 1 Boot−Sector Infector

When the machine is powered on, ROM based BIOS performs “power on self test” and searches for boot device. Once the boot device is identified, BIOS reads boot block(s) and transfers control to the code in the boot block code. This step is called the primary boot. The primary boot loads secondary boot code which understands the file system structure. This secondary boot code is responsible for loading the operating system kernel.

A boot sector infector (BSI) virus infects the boot block. BSI relocates the original boot block to a specific location and the boot block is replaced by the virus code. After infection, control is transferred to the boot block so as to avoid any suspicion of infection. Choosing a specific location for relocating boot block can pose problems as the same location can be selected by other viruses.

1. 2 File−Infectors

A file infector infects the executable files. Following are the locations in the host program where the file infector inserts the viral code.

•
Beginning of File: The file infector copies the viral code at the beginning of the host program. Whenever the file is loaded, the virus code is executed after execution of the actual program. Each time the virus infects an executable file, it inserts markers at specific locations. This helps the virus from ignoring previously infected files. Such viruses are also called as prepending viruses (Aycock, 2006).
•
End of the file: A virus that attaches itself to the end of a file is called appending virus (Aycock, 2006). The file header contain the entry point of the program. The virus modifies this entry point with a jump to the virus code. After execution of viral code, control is transferred to the original code.
•
Over write file: Viruses which add code to a host program can be detected by monitoring the file size of uninfected code. To escape detection, virus inserts code in either (a) repeated contents or (b) unallocated space created by file system of the host program. Some overwriting file viruses compress part of file and insert the viral code along with the decompression module. These viruses do not have space overheads like appending and prepending viruses.
•
Inserted inside the file: Some viruses interweave their code inside the target program. After the insertion, the data locations, branch targets and linker relocation information are also updated.

1. 3 Companion Virus

A companion virus is a ‘self replicating’ virus. These viruses infect the host file without modifying its contents. Instead, such viruses share the same name as the target file and place themselves in the search path of the target file. In this way, the virus is executed before the target file. If the target file to be located is abc. exe, the operating system would search for abc. com, abc. exe, abc. bat in that order. If virus creates a file with same name having . com extension, it is executed before the original file.

Complete Chapter List

Search this Book:

Reset

MLA

APA

Chicago

Export Reference