Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.

Abstract : In this paper, we present the design of a metamorphic engine representing a type of hurdle that antivirus systems need to get over in their ght against malware. First we describe the two steps of the en- gine replication process : obfuscation and modeling. Then, we apply this engine to a real worm to evaluate current antivirus products detection ca- pacities. This assessment leads to a classication of detection tools, based on their observable behavior, in two main categories: the rst one, rely- ing on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of dynamic detection programs, focuses only on elementary suspicious actions. Consequently, no products appear to reliably detect the candidate malware after appli- cation of the metamorphic engine. Through this evaluation of antivirus products, we hope to help defenders understand and defend against the threat represented by this class of malware.
Document type :
Conference papers
Complete list of metadatas

https://hal-supelec.archives-ouvertes.fr/hal-00441581
Contributor : Myriam Andrieux <>
Submitted on : Wednesday, December 16, 2009 - 3:51:26 PM
Last modification on : Thursday, March 29, 2018 - 11:06:04 AM

Identifiers

  • HAL Id : hal-00441581, version 1

Collections

Citation

Jean-Marie Borello, Eric Filiol, Ludovic Mé. Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.. 18th EICAR Annual Conference, May 2009, France. 19 p. ⟨hal-00441581⟩

Share

Metrics

Record views

82