Metamorphic Virus Detection in Portable Executables Using Opcodes Statistical Feature

TL;DR

This paper proposes a static analysis method using opcode frequency histograms and Minkowski distance to detect metamorphic viruses in portable executables, addressing challenges posed by code obfuscation techniques.

Contribution

It introduces a novel approach leveraging statistical opcode features and histogram distance measures for metamorphic virus detection based on static analysis.

Findings

Effective in identifying mutated virus variants

Uses opcode histogram similarity for detection

Applicable to various obfuscation techniques

Abstract

Metamorphic viruses engage different mutation techniques to escape from string signature based scanning. They try to change their code in new offspring so that the variants appear non-similar and have no common sequences of string as signature. However, all versions of a metamorphic virus have similar task and performance. This obfuscation process helps to keep them safe from the string based signature detection. In this study, we make use of instructions statistical features to compare the similarity of two hosted files probably occupied by two mutated forms of a specific metamorphic virus. The introduced solution in this paper is relied on static analysis and employs the frequency histogram of machine opcodes in different instances of obfuscated viruses. We use Minkowski-form histogram distance measurements in order to check the likeness of portable executables (PE). The purpose of this research is to present an idea that for a number of special obfuscation approaches the presented solution can be used to identify morphed copies of a file. Thus, it can be applied by antivirus scanner to recognize different versions of a metamorphic virus.