Metamorphic Code Generation from LLVM IR Bytecode

Metamorphic software changes its internal structure across generations with its functionality remaining unchanged. Metamorphism has been employed by malware writers as a means of evading signature detection and other advanced detection strate- gies. However, code morphing also has potential security benefits, since it increases the “genetic diversity” of software. In this research, we have created a metamorphic code generator within the LLVM compiler framework. LLVM is a three-phase compiler that supports multiple source languages and target architectures. It uses a common intermediate representation (IR) bytecode in its optimizer. Consequently, any supported high-level programming language can be transformed to this IR bytecode as part of the LLVM compila- tion process. Our metamorphic generator functions at the IR bytecode level, which provides many advantages over previously developed metamorphic generators. The morphing techniques that we employ include dead code insertion—where the dead code is actually executed within the morphed code—and subroutine permutation. We have tested the effectiveness of our code morphing using hidden Markov model analysis

HIDDEN MARKOV MODELS FOR SOFTWARE PIRACY DETECTION

The unauthorized copying of software is often referred to as software piracy. Soft- ware piracy causes billions of dollars of annual losses for companies and governments worldwide. In this project, we analyze a method for detecting software piracy. A meta- morphic generator is used to create morphed copies of a base piece of software. A hidden Markov Model is trained on the opcode sequences extracted from these mor- phed copies. The trained model is then used to score suspect software to determine its similarity to the base software. A high score indicates that the suspect software may be a modified version of the base software and, therefore, further investigation is warranted. In contrast, a low score indicates that the suspect software differs sig- nificantly from the base software. We show that our approach is robust, in the sense that the base software must be extensively modified before it is not detected

FIREFOX ADD-ON FOR METAMORPHIC JAVASCRIPT MALWARE DETECTION

With the increasing use of the Internet, malicious software has more frequently been designed to take control of users computers for illicit purposes. Cybercriminals are putting a lot of efforts to make malware difficult to detect. In this study, we demonstrate how the metamorphic JavaScript malware can effect a victim’s machine using a malicious or compromised Firefox add-on. Following the same methodology, we develop another add-on with malware static detection technique to detect metamorphic JavaScript malware

Performance of Malware Classification on Machine Learning using Feature Selection

The exponential growth of malware has created a significant threat in our daily lives, which heavily rely on computers running all kinds of software. Malware writers create malicious software by creating new variants, new innovations, new infections and more obfuscated malware by using techniques such as packing and encrypting techniques. Malicious software classification and detection play an important role and a big challenge for cyber security research. Due to the increasing rate of false alarm, the accurate classification and detection of malware is a big necessity issue to be solved. In this research, eight malware family have been classifying according to their family the research provides four feature selection algorithms to select best feature for multiclass classification problem. Comparing. Then find these algorithms top 100 features are selected to performance evaluations. Five machine learning algorithms is compared to find best models. Then frequency distribution of features are find by feature ranking of best model. At last it is said that frequency distribution of every character of API call sequence can be used to classify malware family

Assessing Code Obfuscation of Metamorphic JavaScript

Metamorphic malware is one of the biggest and most ubiquitous threats in the digital world. It can be used to morph the structure of the target code without changing the underlying functionality of the code, thus making it very difficult to detect using signature-based detection and heuristic analysis. The focus of this project is to analyze Metamorphic JavaScript malware and techniques that can be used to mutate the code in JavaScript. To assess the capabilities of the metamorphic engine, we performed experiments to visualize the degree of code morphing. Further, this project discusses potential methods that have been used to detect metamorphic malware and their potential limitations. Based on the experiments performed, SVM has shown promise when it comes to detecting and classifying metamorphic code with a high accuracy. An accuracy of 86% is observed when classifying benign, malware and metamorphic files

Metamorphic Java Engine

Malware is a software program outlined to damage or perform other unwanted actions to a computer system. Metamorphic malware is a category of malignant software programs that has the ability to change its code as it propagates. A hidden Markov model (HMM) is a statistical model where the system is assumed to be a Markov process with unseen states. An HMM is based on the use of statistics to detect patterns, and hence in metamorphic virus detection. Previous work has been done in order to create morphing engines using LLVM-bytecode format. This project includes the creation of a morphing engine for Java bytecode, using different code obfuscation techniques. The next aspect is to focus on detection techniques, specific HMM for validation of the created engine. The results presented show that HMM fail to detect the presence of morphing, provided specific set of rules have been followed while creation of metamorphic engine

Evasion and Detection of Metamorphic Viruses

Metamorphic viruses mutate their own code to produce viral copies which are syntactically different from their parents, but functionally equivalent. The viral copies thus produced, may have different signatures, rendering signature-based virus scanners unreliable. New age anti-virus products employ a combination of signature scanning and heuristic techniques to defeat such viruses. In this project, a metamorphic engine, which uses code obfuscation techniques, is implemented to bypass commercial scanners. A set of anti-heuristic strategies are used to evade code emulation and heuristic detection. Using a combination of the above techniques, the detection rate of a well known sample virus is reduced significantly. Finally, a brief comparative study of major commercial anti-virus software is performed with respect to their detection capability

Metamorphic Viruses with Built-In Buffer Overflow

Metamorphic computer viruses change their structure—and thereby their signature—each time they infect a system. Metamorphic viruses are potentially one of the most dangerous types of computer viruses because they are difficult to detect using signature-based methods. Most anti-virus software today is based on signature detection techniques. In this project, we create and analyze a metamorphic virus toolkit which creates viruses with a built-in buffer overflow. The buffer overflow serves to obfuscate the entry point of the actual virus, thereby making detection more challenging. We show that the resulting viruses successfully evade detection by commercial virus scanners. Several modern operating systems (e.g., Windows Vista and Windows 7) employ address space layout randomization (ASLR), which is designed to prevent most buffer overflow attacks. We show that our proposed buffer overflow technique succeeds, even in the presence of ASLR. Finally, we consider possible defenses against our proposed technique

Computer-aided constrained writing

How can computers aid human creative processes without impinging on human creativity? I enjoy writing poetry, and I do not want to be made obsolete by an artificial poet. But what if computers could help rather than replace me? I want creative control over my work. All the creative decisions are to be mine, but creative choices alone do not make a poem. Choices must also be implemented. In this thesis I shall explore the role of computer-aids within a creative workflow, specifically when employing writing constraints, such as those defined by the Ouvroir de Littérature Potentielle (OuLiPo). I am approaching this topic both as a creative writer and a computer scientist. I shall investigate the how of constrained writing and the what of computer-aids through practical experimentation and observation. From these foundations I shall argue that computers need not impinge on human creativity and that a human:computer partnership may take advantage of the strengths of each while mitigating the weaknesses of the other. I shall discuss what must be considered when designing such computer-aids and explore how this could be implemented within a software application

Counter intrusion software : Malware detection using structural and behavioural features and machine learning

Over the past twenty-five years malicious software has evolved from a minor annoyance to a major security threat. Authors of malicious software are now more likely to be organised criminals than bored teenagers, and modern malicious software is more likely to be aimed at stealing data (and hence money) than trashing data. The arms race between malware authors and manufacturers of anti-malware software continues apace, but despite this, the majority of anti-malware solutions still rely on relatively old technology such as signature scanning, which works well enough in the majority of cases but which has long been known to be ineffective if signatures are not updated regularly. The need for regular updating means there is often a critical window---between the publication of a flaw exploitable by malware and the distribution of the appropriate counter measures or signature. At this point a user system is open to attack by hitherto unseen malware. The object of this thesis is to determine if it is practical to use machine learning techniques to abstract generic structural or behavioural features of malware which can then be used to recognise hitherto unseen examples. Although a sizeable amount of research has been done on various ways in which malware detection might be automated, most of the proposed methods are burdened by excessive complexity. This thesis looks specifically at the possibility of using learning systems to classify software as malicious or nonmalicious based on easily-collectable structural or behavioural data. On the basis of the experimental results presented herein it may be concluded that classification based on such structural data is certainly possible, and on behavioural data is at least feasible