Analysis and Detection of Metamorphic Computer Viruses

comparison between our approach and commercial virus scanners. I would also like to thank my friends and schoolmates for their technical and emotional support. I want to thank Yue Wang for performing the virus scanning, and Peter Hey for repairing my hard disk after it crashed at the most critical moment. Finally I want to thank my family for their understanding and support throughout my five years of graduate studies. They have shown the greatest care and patience which I truly appreciate. Abstract Computer virus writers commonly use metamorphic techniques to produce viruses that change their internal structure on each infection. It is generally believed that these metamorphic viruses are extremely difficult to detect. Metamorphic virus generating kits are readily available, so that little knowledge or skill is required to create these potentially devastating viruses. In this project, we first analyze four virus creation kits to determine the degree of metamorphism provided by each. We are able to precisely quantify the degree of metamorphism produced by these virus generators. While the best generator, the Next Generation Virus Creation Kit (NGVCK), produces virus variants that differ greatly from one another, the other three generators we examined are much less effective. We then show that three popular commercial virus scanners cannot detect any of the NGVCK viruses in our test set. We proceed to develop an effective metamorphic virus detection technique based on hidden Markov models (HMM). With this HMM detector, we are able to classify a given program as belonging to a particular virus family or not. Using this approach, we can detect all metamorphic viruses in our test set with extremely high accuracy. We also present a simpler detection method that detects metamorphic viruses with high accuracy. Our results show that the best available metamorphic generator is effective at morphing viral code and that the resulting morphed viruses are not detectable using popular commercial virus scanning software. Surprisingly, these viruses differ sufficiently from non-viral code so that they are detectable using a similarity technique that we present in this paper. It remains an interesting open question whether metamorphic viral code can be constructed which is undetectable using our techniques.