Metamorphic Virus: Analysis and Detection

by Evgenios Konstantinou

Abstract:

Metamorphic viruses transform their code as they propagate, thus evading
detection by static signature-based virus scanners, while keeping their functionality.
They use code obfuscation techniques to challenge deeper static
analysis and can also beat dynamic analyzers, such as emulators, by altering
their behavior. To achieve this, metamorphic viruses use several metamorphic
transformations, including register renaming, code permutation, code
expansion, code shrinking, and garbage code insertion. In this thesis, an
in-depth analysis of metamorphic viruses is presented, along with the techniques
they use to transform their code to new generations. In order to give
a better understanding of metamorphic viruses, a general discussion on malicious
code and detection techniques is given first. Then, the description of
several techniques to detect metamorphic viruses is given. A fair number of
papers on metamorphic viruses exists in the literature, but no one is a complete
discussion of all metamorphic techniques and detection methods. This
thesis aims at a complete discussion of all metamorphic techniques used by
virus writers so far, and all detection techniques implemented in antivirus
products or still experimental. It accomplishes this by an in-depth research
on malware and metamorphic viruses, through the existing literature. Due
to space and time limitations, an exhaustive discussion was not possible in
this thesis.