A General Paradigm for Normalizing Metamorphic Malwares

Nowadays malwares are one of the most important problems of computer society and even people society according to the expansion of computer applications in every dimension of our life. Malware is a malicious code that can harm computer systems and thus makes disorder in their performance. In order to escape from malware detectors, malwares use some obfuscation methods to change their appearance. This problem cannot be solved using traditional malware detection methods since these methods are highly dependent on malware's signatures. So normalization (de-obfuscation) methods have been proposed to confront with these problems. In this paper we propose a general malware normalizer that can store lots of obfuscation methods in the form of automata structures and use them for normalizing metamorphic malwares. Each obfuscation method is modeled using an Augmented DFA, ADFA in short. This paradigm searches the occurrence of obfuscated codes in the source code by traversing these ADFAs. If an obfuscated code is detected in the code, it will be normalized in the next phase and thus the obfuscated malware will be detected easily by traditional malware detectors. The main contribution of this paper is its high generality. It can normalize a wide range of obfuscation methods against current methods that are proposed for confronting with one or a limited set of obfuscation methods. The presented approach is developed and tested on a diverse set of malwares and the results are promising for detecting metamorphic malwares.