Metamorphic malware change as they reproduce or propagate, making it difficult to find consistent patterns in the variants. This, in turn, makes it challenging to recognize and stop the programs. We are seeking to develop a theoretical understand various classes of metamorphic malware, and to develop sound techniques for managing metamorphism.
Research in this area includes:
- A better theoretical understanding of metamorphic programs and their powers. We are presently developing a classification system for malware that seeks to organize them according to the theoretical powers each class has for obfuscation; this is also expected to lead to better threat models.
- Theory-guided methods for handling malware given the understood threat models.
Normalizing Malware: The “Unmorph” Project
One class of metamorphic programs are those that perform only semantics-preserving transformations of their own code such that they can be characterized by a conditional term rewriting system. We have shown that once the metamorphic “engine” (i.e., transformation engine) is modeled it is frequently possible to either automatically or semi-automatically build a normalizer for that engine. These normalizers are proven to never create false positive or negative matches. We have also shown that certain approximations may be possible, making the normalization process much more efficient at the cost of some false negatives. A prototype term-rewriting normalizer was constructed using TXL, and a case study illustrated the feasibility of the approach using the W32/Evol worm as a subject.