Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this paper, we propose a novel approach to the development of evasion-resistant malware signatures. The idea is that the signature is based on the malware’s execution profile extracted from the OS kernel data structure objects rather than on syntactic information. As a result, the signature is more resistant to malware obfuscation techniques and is more resilient in detecting malicious code variants.
To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE was developed. The effectiveness of signatures generated by SigGENE was evaluated using an experimental root kit-simulation tool that employs obfuscation techniques commonly found in rootkits. In further experiments, different syntactic variants of the same real-world malware have been used to verify the real-world applicability of the proposed approach. The experiments show that the proposed approach is effective not only in generating signatures that detect malware and its variants, but also in producing execution profiles that can be used to characterize different malicious attacks.