TY - GEN
T1 - MetaHunt
T2 - 3rd ACM Workshop on Software Protection, SPRO 2019
AU - Wang, Li
AU - Xu, Dongpeng
AU - Ming, Jiang
AU - Fu, Yu
AU - Wu, Dinghao
N1 - Funding Information:
We thank the anonymous reviewers for their valuable feedback. This research was supported in part by the National Science Foundation (NSF) grants CNS-1652790, and the Office of Naval Research (ONR) grants N00014-16-1-2265, N00014-16-1-2912, and N00014-17-1-2894. Jiang Ming was also supported by the University of Texas System STARs Program.
Publisher Copyright:
© 2019 ACM.
PY - 2019/11/15
Y1 - 2019/11/15
N2 - As the underground industry of malware prospers, malware developers consistently attempt to camouflage malicious code and undermine malware detection with various obfuscation schemes. Among them, metamorphism is known to have the potential to defeat the popular signature-based malware detection. A metamorphic malware sample mutates its code during propagations so that each instance of the same family exhibits little resemblance to another variant. Especially with the development of compiler and binary rewriting techniques, metamorphic malware will become much easier to develop and outbreak eventually. To fully understand the metamorphic engine, the core part of the metamorphic malware, we attempt to systematically study the evolution of metamorphic malware over time. Unlike the previous work, we do not require any prior knowledge about the metamorphic engine in use. Instead, we perform trace-based semantic binary diffing to compare mutation code iteratively and memoize semantically equivalent basic blocks. We have developed a prototype, called MetaHunt, and evaluated it with 1,400 metamorphic malware variants. Our experimental results show that MetaHunt can accurately capture the semantics of unknown metamorphic engines, and all of the comparisons converge in a reasonable time. Besides, MetaHunt identifies several metamorphic engine bugs, which lead to a semantics-breaking transformation. We summarize our experience learned from our empirical study, hoping to stimulate designing mutation-aware solutions to defend this threat proactively.
AB - As the underground industry of malware prospers, malware developers consistently attempt to camouflage malicious code and undermine malware detection with various obfuscation schemes. Among them, metamorphism is known to have the potential to defeat the popular signature-based malware detection. A metamorphic malware sample mutates its code during propagations so that each instance of the same family exhibits little resemblance to another variant. Especially with the development of compiler and binary rewriting techniques, metamorphic malware will become much easier to develop and outbreak eventually. To fully understand the metamorphic engine, the core part of the metamorphic malware, we attempt to systematically study the evolution of metamorphic malware over time. Unlike the previous work, we do not require any prior knowledge about the metamorphic engine in use. Instead, we perform trace-based semantic binary diffing to compare mutation code iteratively and memoize semantically equivalent basic blocks. We have developed a prototype, called MetaHunt, and evaluated it with 1,400 metamorphic malware variants. Our experimental results show that MetaHunt can accurately capture the semantics of unknown metamorphic engines, and all of the comparisons converge in a reasonable time. Besides, MetaHunt identifies several metamorphic engine bugs, which lead to a semantics-breaking transformation. We summarize our experience learned from our empirical study, hoping to stimulate designing mutation-aware solutions to defend this threat proactively.
UR - http://www.scopus.com/inward/record.url?scp=85098633078&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85098633078&partnerID=8YFLogxK
U2 - 10.1145/3338503.3357720
DO - 10.1145/3338503.3357720
M3 - Conference contribution
AN - SCOPUS:85098633078
T3 - SPRO 2019 - Proceedings of the 3rd ACM Workshop on Software Protection
SP - 15
EP - 26
BT - SPRO 2019 - Proceedings of the 3rd ACM Workshop on Software Protection
PB - Association for Computing Machinery, Inc
Y2 - 15 November 2019
ER -