Metamorphic Virus Variants Classification Using Opcode Frequency Histogram

TL;DR

This paper proposes a static analysis method using opcode frequency histograms and Euclidean distance to detect metamorphic virus variants, which evade traditional signature-based detection by obfuscating their code.

Contribution

It introduces a novel static analysis technique leveraging opcode frequency histograms and Euclidean distance for identifying metamorphic virus variants.

Findings

Effective detection of certain metamorphic virus variants.

Histogram-based similarity measure can distinguish obfuscated virus versions.

Potential to enhance non-string signature scanning methods.

Abstract

In order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus software, metamorphic viruses use several various obfuscation approaches. They transform their code in new instances as look entirely or partly different and contain dissimilar sequences of string, but their behavior and function remain unchanged. This obfuscation process allows them to stay away from the string based signature detection. In this research, we use a statistical technique to compare the similarity between two files infected by two morphed versions of a given metamorphic virus. Our proposed solution based on static analysis and it uses the histogram of machine instructions frequency in various offspring of obfuscated viruses. We use Euclidean histogram distance metric to compare a pair of portable executable (PE) files. The aim of this study is to show that for some particular obfuscation methods, the presented solution can be exploited to detect morphed varieties of a file. Hence, it can be utilized by non-string based signature scanning to identify whether a file is a version of a metamorphic virus or not.