Presented at DEF CON 14 (2006)
Aug. 5, 2006, 2 p.m.
Metamorphism has been touted as a way to generate undetectable viruses and worms, and it has also been suggested as a potential security-enhancing technique. Today metamorphic virus construction kits are readily available on the Internet. A visit to the VX Heavens reveals more than 150 generators and engines to choose from in the category of "Worm/Virus Creation Tools". The purpose of a metamorphic generator is to create multiple instances of a virus which are sufficiently different from each other so as to avoid detection. How effective are these metamorphic engines? How different are the morphed variants? Is it possible to detect metamorphic viruses and worms?
We analyze several metamorphic engines (include MPCGEN Mass Code Generator, G2, NGVCK, and VCL32). In each case, we precisely measure the similarity of different instances of the morphed code. We show that the morphing abilities of these engines varies widely. We also show that, ironically, the metamorphic viruses we tested are easy to distinguish from normal code, regardless of the effectiveness of the morphing. Our results indicate that, in practice, it may be more difficult to effectively use metamorphism as a means to avoid detection than is generally believed.
Wing H. Wong
Wing H. Wong is a graduate student at San Jose State University. Her research interests include network security and bioinformatics.
- Assistant Professor
Mark Stamp can neither confirm nor deny that he spent 7 years as a National Security Agency cryptanalyst. However, he can confirm that he spent 2 years as Chief Cryptologic Scientist at a small Silicon Valley startup, where he helped develop a digital rights management (DRM) system. For the past 4 years he has been Assistant Professor in the Department of Computer Science at San Jose State University, where he teaches courses in information security, networking, and cryptography. He recently published a textbook, Information Security: Principles and Practice (Wiley Interscience, 2006) and he has just completed a second textbook, Applied Cryptanalysis.