Team for Research in
Ubiquitous Secure Technology

Hunting for metamorphic engines
Mark Stamp, Wing Wong

Citation
Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Talk or presentation, 6, August, 2006.

Abstract
Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools". The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms? We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed.

Electronic downloads

Citation formats  
  • HTML
    Mark Stamp, Wing Wong. <a
    href="http://www.truststc.org/pubs/235.html"
    ><i>Hunting for metamorphic
    engines</i></a>, Talk or presentation,  6,
    August, 2006.
  • Plain text
    Mark Stamp, Wing Wong. "Hunting for metamorphic
    engines". Talk or presentation,  6, August, 2006.
  • BibTeX
    @presentation{StampWong06_HuntingForMetamorphicEngines,
        author = {Mark Stamp and Wing Wong},
        title = {Hunting for metamorphic engines},
        day = {6},
        month = {August},
        year = {2006},
        abstract = {Metamorphism has been touted as a way to generate
                  undetectable viruses and worms, and it has also
                  been suggested as a potential security-enhancing
                  technique. Today metamorphic virus construction
                  kits are readily available on the Internet. A
                  visit to the VX Heavens reveals more than 150
                  generators and engines to choose from in the
                  category of "Worm/Virus Creation Tools". The
                  purpose of a metamorphic generator is to create
                  multiple instances of a virus which are
                  sufficiently different from each other so as to
                  avoid detection. How effective are these
                  metamorphic engines? How different are the morphed
                  variants? Is it possible to detect metamorphic
                  viruses and worms? We analyze several metamorphic
                  engines (include MPCGEN Mass Code Generator, G2,
                  NGVCK, and VCL32). In each case, we precisely
                  measure the similarity of different instances of
                  the morphed code. We show that the morphing
                  abilities of these engines varies widely. We also
                  show that, ironically, the metamorphic viruses we
                  tested are easy to distinguish from normal code,
                  regardless of the effectiveness of the morphing.
                  Our results indicate that, in practice, it may be
                  more difficult to effectively use metamorphism as
                  a means to avoid detection than is generally
                  believed.},
        URL = {http://www.truststc.org/pubs/235.html}
    }
    

Posted by Mark Stamp on 23 Mar 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.