METAMORPHIC TECHNIQUES AND THEIR APPLICATION ON HAVEX MALWARE

Abstract

Most of the commercial antiviruses are signature based, that is, they use existing database signature to detect the malware. Malware authors use code obfuscation techniques to evade detection by antiviruses. Metamorphic malware change their internal structure hence evading signature based detection. Different detection techniques can be found in literature to detect the obfuscated malware also. Havex is an exclusive malware used in cyberespionage campaign launched by a group of attackers, Dragonfly or Energetic Bear, which infects OS Windows. It has targeted multiple sectors so far such as industrial/machinery, manufacturing, pharmaceutical, construction, education and Information Technology. Its main target is ICS and SCADA systems. Havex uses multiple attack vectors to compromise the targets with the coordination of Command and Control infrastructure to download the set of payloads. For effective defense against the malware, their construction needs to be explored. This includes the study of different obfuscation techniques and possibilities of their extension. This thesis focuses on obfuscation technqiues of malware including dead code insertion, instruction substitution and function permutation. The objective is to make detection difficult by implementing subject techniques which bypass detection. Havex malware is used as a proof of concept for our antivirus evasion strategy. We have used Hidden Markov Models (HMM), which is a statistical based machine learning detection method, to test the effectiveness of our code morphing. This has shown the strength of our implemented obfuscation techniques.