Mark Stamp, Wing Wong
Citation
Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Talk or presentation, 6, August, 2006.
Abstract
Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools". The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms?
We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed.
Electronic downloads
- metamorphic.pdf · application/pdf · 385 kbytes
| Citation formats |
- HTML
Mark Stamp, Wing Wong. <a href="http://www.truststc.org/pubs/235.html" ><i>Hunting for metamorphic engines</i></a>, Talk or presentation, 6, August, 2006.
- Plain text
Mark Stamp, Wing Wong. "Hunting for metamorphic engines". Talk or presentation, 6, August, 2006.
- BibTeX
@presentation{StampWong06_HuntingForMetamorphicEngines, author = {Mark Stamp and Wing Wong}, title = {Hunting for metamorphic engines}, day = {6}, month = {August}, year = {2006}, abstract = {Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools". The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms? We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed.}, URL = {http://www.truststc.org/pubs/235.html} }
Posted by Mark Stamp on 23 Mar 2007.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.