Are Current Antivirus Programs Able to Detect Complex Metamorphic Malware? an Empirical Evaluation

In this paper, the authors present the design of a metamorphic engine representing a type of hurdle that antivirus systems need to get over in their fight against malware. First they describe the two steps of the engine replication process : obfuscation and modeling. Then, they apply this engine to a real worm to evaluate current antivirus products detection capacities. This assessment leads to a classification of detection tools, based on their observable behavior, in two main categories: the first one, relying on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of dynamic detection programs, focuses only on elementary suspicious actions.