A Syntactic Approach for Detecting Viral Polymorphic Malware Variants

  • Vijay NaiduEmail author
  • Ajit Narayanan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9650)


Polymorphic malware is currently difficult to identify. Such malware is able to mutate into functionally equivalent variants of themselves. Modern detection techniques are not adequate against this rapidly-mutating polymorphic malware. The age-old approach of signature-based detection is the only one that has the highest detection rate in real time and is used by almost all antivirus software products. The process of current signature extraction has so far been by manual evaluation. Even the most advanced malware detection process which employs heuristic-based approaches requires progressive evaluation and modification by humans to keep up with new malware variants. The aim of the research reported here is to investigate efficient and effective techniques of string matching algorithm for the automatic identification of some or all new polymorphic malware. We demonstrate how our proposed syntactic-based approach using the well-known string matching Smith-Waterman algorithm can successfully detect the known polymorphic variants of JS.Cassandra virus. Our string-matching approach may revolutionize our understanding of polymorphic variant generation and may lead to a new phase of syntactic-based anti-viral software.


String matching algorithm Smith-Waterman algorithm JS.Cassandra virus Polymorphic javaScript virus Hex and DNA sequences Automatic signature generation 


  1. 1.
    Thompson, G.R., Flynn, L.A.: Polymorphic malware detection and identification via context-free grammar homomorphism. Bell Labs Tech. J. Inf. Technol./Netw. Secur. 12(3), 139–147 (2007)CrossRefGoogle Scholar
  2. 2.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection, pp. 207–226. IEEE (2005)Google Scholar
  3. 3.
    VX Heaven. (2015) VX Heavens Library, 3 May 2015.
  4. 4.
    Kaspersky Anti-virus 6.0. Kaspersky Lab (2005).
  5. 5.
    Advanced Virus Detection Scan Engine and DATs: Comprehensive Scanning Technology for Today’s Threats and Tomorrow’s. Network Associates Technology (2002).
  6. 6.
    Understanding Heuristics Symantec’s Bloodhound Technology. Symantec (1997).
  7. 7.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)Google Scholar
  8. 8.
    Dullien, T., Rolles, R.: Graph-based comparison of executable objects. In: Proceedings of Symposium sur la Securite des Technologies de I’Information et des Communications, SSTIC (2005)Google Scholar
  9. 9.
    Flake, H.: Structural comparison of executable objects. In: Proceedings of IEEE Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pp. 161–173. IEEE (2004)Google Scholar
  10. 10.
    Sabin, T.: Comparing Binaries with Graph Isomorphisms. SecuriTeam (2004).
  11. 11.
    Cohen, F.B.: Computer viruses: theory and experiments. Comput. Secur. 6(1), 22–35 (1987)CrossRefGoogle Scholar
  12. 12.
    Cohen, F.B.: Computational aspects of computer viruses. Comput. Secur. 8(4), 325–344 (1989)CrossRefGoogle Scholar
  13. 13.
    Adleman, L.M.: An abstract theory of computer viruses. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 354–374. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Zuo, Z., Zhou, M.: Some further theoretical results about computer viruses. Comput. J. 47(6), 627–633 (2004)CrossRefGoogle Scholar
  15. 15.
    Robiah, Y., Rahayu, S., Zaki, M., Shahrin, S., Faizal, M.A., Marliza, R.: A new generic taxonomy on hybrid malware detection technique. Int. J. Comput. Sci. Inf. Secur. 5(1), 56–60 (2009)Google Scholar
  16. 16.
    Fukushima, Y., Sakai, A., Hori, Y., Sakurai, K.: A behaviour based malware detection scheme for avoiding false positive. In: Proceedings of 6th IEEE Workshop on Secure Network Protocols (NPSec), pp. 79–84. IEEE (2010)Google Scholar
  17. 17.
    Elhadi, A.A.E., Maarof, M.A., Osman, A.H.: Malware detection based on hybrid signature behaviour application programming interface call graph. Am. J. Appl. Sci. 9(3), 283–288 (2012)CrossRefGoogle Scholar
  18. 18.
    Idika, N., Mathur, A.P.: A survey of malware detection techniques. Technical report 286, Department of Computer Science, Purdue University, USA, 7 July 2014 (2007).
  19. 19.
    Skoudis, E., Zeltser, L.: Malware: Fighting Malicious Code. Prentice Hall Professional, Upper Saddle River (2004)Google Scholar
  20. 20.
    Chaumette, S., Ly, O., Tabary, R.: Automated extraction of polymorphic virus signatures using abstract interpretation. In: Proceedings of the Network and System Security, pp. 41–48. NSS (2011)Google Scholar
  21. 21.
    Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Sci. 2, 70–75 (2007)Google Scholar
  22. 22.
    Gold, E.: Language identification in the limit. Inf. Control 5, 447–474 (1967)CrossRefzbMATHGoogle Scholar
  23. 23.
    The Art of Stealthy Viruses (2006) Hackerz Voice, 27 April 2015.
  24. 24.
    Naidu, V., Narayanan, A.: Further experiments in biocomputational structural analysis of malware. In: 10th International Conference on Natural Computation. ICNC, pp. 605–610 (2014)Google Scholar
  25. 25.
    Oracle VM VirtualBox (2015) VirtualBox, 10 March 2014.
  26. 26.
    JS.Cassandra by Second Part To Hell (2015) rRlF#4 (Redemption), 9 March 2015.
  27. 27.
    Tutorials– Win32 Polymorphism (2014) VX Heavens, 10 March 2015.
  28. 28.
    Viruses: Second Part To Hell’s Artworks – VIRUSES (2004), 10 March 2015.
  29. 29.
    JAligner (2010) JAligner: Java Implementation of the Smith-Waterman algorithm for biological sequence alignment – SourceForge. 1 May 2015.
  30. 30.
    Charras, C., Lecroq, T.: Exact String Matching Algorithms. Univ. de Rouen (1997), 30 April 2015.
  31. 31.
    Smith, T.F., Waterman, M.S.: Identification of common molecular subsequences. J. Mol. Biol. 147, 195–197 (1981)CrossRefGoogle Scholar
  32. 32.
    ClamAV Source Code Download (2014) ClamAV, 10 March 2014.
  33. 33.
    Top 10 Best Antivirus Software for 2015 – Top Ten Reviews (2015) TopTenReviews, 10 September 2015.
  34. 34.
    Create Your Own Anti-Virus Signatures with ClamAV (2008) Adam Sweet’s Blog, 26 February 2015. and

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.School of Computer and Mathematical SciencesAuckland University of TechnologyAucklandNew Zealand

Personalised recommendations