Metamorphic Code Generation from LLVM IR Bytecode

Metamorphic software changes its internal structure across generations with its functionality remaining unchanged. Metamorphism has been employed by malware writers as a means of evading signature detection and other advanced detection strate- gies. However, code morphing also has potential security benefits, since it increases the “genetic diversity” of software. In this research, we have created a metamorphic code generator within the LLVM compiler framework. LLVM is a three-phase compiler that supports multiple source languages and target architectures. It uses a common intermediate representation (IR) bytecode in its optimizer. Consequently, any supported high-level programming language can be transformed to this IR bytecode as part of the LLVM compila- tion process. Our metamorphic generator functions at the IR bytecode level, which provides many advantages over previously developed metamorphic generators. The morphing techniques that we employ include dead code insertion—where the dead code is actually executed within the morphed code—and subroutine permutation. We have tested the effectiveness of our code morphing using hidden Markov model analysis

HIDDEN MARKOV MODELS FOR SOFTWARE PIRACY DETECTION

The unauthorized copying of software is often referred to as software piracy. Soft- ware piracy causes billions of dollars of annual losses for companies and governments worldwide. In this project, we analyze a method for detecting software piracy. A meta- morphic generator is used to create morphed copies of a base piece of software. A hidden Markov Model is trained on the opcode sequences extracted from these mor- phed copies. The trained model is then used to score suspect software to determine its similarity to the base software. A high score indicates that the suspect software may be a modified version of the base software and, therefore, further investigation is warranted. In contrast, a low score indicates that the suspect software differs sig- nificantly from the base software. We show that our approach is robust, in the sense that the base software must be extensively modified before it is not detected

Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey

Malwares are big threat to digital world and evolving with high complexity. It can penetrate networks, steal confidential information from computers, bring down servers and can cripple infrastructures etc. To combat the threat/attacks from the malwares, anti- malwares have been developed. The existing anti-malwares are mostly based on the assumption that the malware structure does not changes appreciably. But the recent advancement in second generation malwares can create variants and hence posed a challenge to anti-malwares developers. To combat the threat/attacks from the second generation malwares with low false alarm we present our survey on malwares and its detection techniques.Comment: 5 Page

Metamorphic Viruses with Built-In Buffer Overflow

Metamorphic computer viruses change their structure—and thereby their signature—each time they infect a system. Metamorphic viruses are potentially one of the most dangerous types of computer viruses because they are difficult to detect using signature-based methods. Most anti-virus software today is based on signature detection techniques. In this project, we create and analyze a metamorphic virus toolkit which creates viruses with a built-in buffer overflow. The buffer overflow serves to obfuscate the entry point of the actual virus, thereby making detection more challenging. We show that the resulting viruses successfully evade detection by commercial virus scanners. Several modern operating systems (e.g., Windows Vista and Windows 7) employ address space layout randomization (ASLR), which is designed to prevent most buffer overflow attacks. We show that our proposed buffer overflow technique succeeds, even in the presence of ASLR. Finally, we consider possible defenses against our proposed technique

Pairwise Alignment of Metamorphic Computer Viruses

Computer viruses and other forms of malware pose a threat to virtually any software system (with only a few exceptions). A computer virus is a piece of software which takes advantage of known weaknesses in a software system, and usually has the ability to deliver a malicious payload. A common technique that virus writers use to avoid detection is to enable the virus to change itself by having some kind of self-modifying code. This kind of virus is commonly known as a metamorphic virus, and can be particularly difficult to detect [17]. Existing virus detection software is continually being improved upon in order to keep up with the rising complexity of today’s modern computer viruses. A new approach to detecting metamorphic viruses, which is an extension of an idea posed in a student writing project from a previous semester [17], will be considered in this project. If a large set of viruses in one “family” of metamorphic viruses can be treated as simple sequences of op-codes, then sequence analysis techniques used in other fields of study like bioengineering [4] could be used to develop a profile hidden Markov model (HMM). This profile would then be used to score an arbitrary op-code sequence (i.e. a program which may or may not be in the virus family) – if the output score exceeds a designated threshold it could be concluded that the input sequence was likely to have been from that same virus family. One of the most common techniques to detect viruses is called signature detection, which involves an analysis of known viruses to find signatures, or strings of bytes, which are found in viruses and not in most non-malicious code. If the virus is metamorphic it could potentially be difficult to find a single signature that will consistently be found in every version of a metamorphic virus. Since a profile HMM would score the overall similarity in structure to a virus “family”, it could theoretically detect the virus even if a reliable signature cannot be created. In order to develop a profile HMM for a virus family, the first step is to create a multiple sequence alignment (MSA) for the set of family viruses; this can then be used to “train” the profile HMM. This paper will concentrate on the techniques for creating MSA’s for real world virus op-code sequences which will best match the virus family, as well as to discuss the overall plausibility of the idea of using a profile HMM to detect metamorphic viruses. Creating and testing the profile HMM to detect the viruses will be the subject of another student project

Metamorphic Detection via Emulation

In parallel with improvements in anti-virus technologies, computer virus writers have developed innovative viruses that are challenging to detect. Metamorphic viruses change their appearance from one generation to another by using various code obfuscation techniques. Today, signature detection is the most common method used in anti-virus products, but well designed metamorphic viruses cannot be detected using signatures. Hence, there is a need for a more robust anti-virus technology.To counter metamorphic virus, a very successful tool based on hidden Markov models (HMM) has been previously developed. This tool was able to detect all hacker produced metamorphic viruses on which it was tested. However, a weakness of this tool was exploited to develop an advanced metamorphic virus generator. These morphed viruses, which were not detected by the HMM based technique or standard signature-based detection, rely on carefully selected dead code insertion for their success.In this project, we have created a code emulator designed specifically to detect dead code in any virus file. The output of this code emulator is then used to enhance HMM-based detection of metamorphic viruses. We test our emulator on the previously mentioned metamorphic generator, using the existing HMM detector to determine the quality of our results

Metamorphic Code Generator based on bytecode of LLVM IR

Metamorphic software is famous for changing the internal structure of the code while keeping the functionality same. In order to escape the signature detection along with some advanced detection techniques, many malware writers have used metamorphism as the means. On the other hand, code morphing technique increases the diversity of the software which is considered to be a potential security advantage. In our paper, we have developed a metamorphic code generator based on the LLVM framework. The architecture of LLVM has a three-phase compiler design which includes the front end, the optimizer and the back end. It also gives assistance to various source languages and designs which can be considered as a target. LLVM Intermediate Representation(IR) is the most important aspect of LLVM that uses a common IR bytecode within its optimizer. As a result of this, the compilation process of LLVM can transform any high-level language to its IR bytecode. The metamorphic code generator that we have developed works at this IR bytecode level. Leveraging on the dead code obfuscation technique from the previous research, we have implemented a much more difficult technique of instruction substitution at the IR bytecode level. Hence this paper discusses the implementation of obfuscation techniques like dead code insertion, subroutine reordering, and instruction substitution. The effectiveness of these techniques have been tested by using the Hidden Markov Model

Code Obfuscation and Virus Detection

Typically, computer viruses and other malware are detected by searching for a string of bits which is found in the virus or malware. Such a string can be viewed as a “fingerprint” of the virus. These “fingerprints” are not generally unique; however they can be used to make rapid malware scanning feasible. This fingerprint is often called a signature and the technique of detecting viruses using signatures is known as signaturebased detection [8]. Today, virus writers often camouflage their viruses by using code obfuscation techniques in an effort to defeat signature-based detection schemes. So-called metamorphic viruses are viruses in which each instance has the same functionality but differs in its internal structure. Metamorphic viruses differ from polymorphic viruses in the method they use to hide their signature. While polymorphic viruses primarily rely on encryption for signature obfuscation, metamorphic viruses hide their signature via “mutating” their own code [3]. The paper [1] provides a rigorous proof that metamorphic viruses can bypass any signature-based detection, provided the code obfuscation has been done carefully based on a set of specified rules. Specifically, according to [1], if dead code is added and the control flow is changed sufficiently by inserting jump statements, the virus cannot be detected. In this project we first developed a code obfuscation engine conforming to the rules in [1]. We then used this engine to create metamorphic variants of a seed virus (created using the PS-MPK virus creation kit [15]) and demonstrated the validity of the assertion in [1] about metamorphic viruses and signature based detectors. In the second phase of this project we validated another theory advanced in [2], namely, that machine learning based methods¾specifically ones based on Hidden Markov Model (HMM) ¾can detect metamorphic viruses. In other words, we show that a collection of metamorphic viruses which are (provably) undetectable via signature detection techniques can nevertheless be detected using an HMM approach

Structural Entropy and Metamorphic Malware

Metamorphic malware is capable of changing its internal structure without al- tering its functionality. A common signature is nonexistent in highly metamorphic malware. Consequently, such malware may remain undetected even under emulation and signature scanning combined. In this project, we use the concept of structural entropy to analyze variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the file segmentation stage, we use entropy measurements and wavelet analysis to segment a file. The second stage measures the similarity of files by computing the edit distance between sequence segments. We apply this technique to the metamorphic detection problem and show that we can obtain strong results in certain challenging cases