Classification and detection of metamorphic malware using value set analysis

Metamorphic malware changes the structure of its code from infection to infection. This makes it very hard to clas-sify or to detect. While the byte-sequence of two variants may be completely different, the core functionality of the malware has to stay the same. This includes the use of flags and constants that have to be consistent at specific points. We present a novel approach that allows us to detect meta-morphic variants. Based on this detection, it is also possible to classify new samples to a metamorphic family. Our ap-proach identifies variants by tracking the use of consistent values throughout the malware. Our evaluation shows a 100 % detection rate with 0 false positives for all metamor-phic samples that do not change their behavior. 1