Metamorphic Malware Detection Via Program’s Structure Feature

Obfuscation techniques, such as encryption/packing, polymorphism and metamorphism, are widely used by malwares to evade detection. Metamorphic techniques, which change the program’s code distribution, make it harder to analyze malwares. Meanwhile, metamorphic engines, which can create mutants of known malwares automatically, are a catalyst of the huge surge in the number of new malware. Thus it’s an urgent problem to detect metamorphic malwares.The key point is to seek program feature that is stable to metamorphism. Function-call graph is always used in detection, since it can represent program’s functionality and is less susceptible to metamorphism.But it can be obfuscated by useless function insertion, implicit or obfuscated call. Using opcode sequence to represent local function can also be obfuscated by code transposition, dead code insertion and instruction substitution. We focus on the issues of function-call graph and propose a metamorphic malware detection method based on program’s structure feature.(1) We studied the malware analysis methods and anti-analysis techniques, especially static analysis methods and code obfuscation techniques.Then we concluded that obtain program feature that is stable to metamorphism, is the difficulty in static detection of metamorphic malwares.(2) We summarized current methods of metamorphic malware detection,including their theories and related work, and analyzed the problems in the methods based on function-call graph.(3) We propose a method based on program’s structure feature. The internal structure of an executable is more stable and characteristic than its opcode sequence. Program feature is function features that are described by structure symbols. With it, the method can defeat most of metamorphic techniques and improve the threshold to obfuscate static detection.(4) We designed and implemented a prototype, which identified metamorphic malwares with feature database. A series of experiments were designed for evaluating program feature’s stability and distinguishability. The results illustrated that the program feature is less susceptible to metamorphism and can be used to detect metamorphic malwares.