Metamorphic Virus Variants Classification Using Opcode Frequency Histogram

In order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus softwares, metamorphic viruses use several various obfuscation approaches. They transform their code in new instances as look entirely or partly different and contain dissimilar sequences of string, but their behavior and function remain unchanged. This obfuscation process allows them to stay away from the string based signature detection. In this research, we use a statistical technique to compare the similarity between two files infected by two morphed versions of a given metamorphic virus. Our proposed solution based on static analysis and it uses the histogram of machine instructions frequency in various offspring of obfuscated viruses. We use Euclidean histogram distance metric to compare a pair of portable executable (PE) files. The aim of this study is to show that for some particular obfuscation methods, the presented solution can be exploited to detect morphed varieties of a file. Hence, it can be utilized by non-string based signature scanning to identify whether a file is a version of a metamorphic virus or not. Key-Words: Computer Virus, Metamorphic Virus, Obfuscation Techniques, Virus Detection, Virus Classification, Opcode Frequency Histogram,