We have developed a value set analysis that tracks possible values along the dataflow graph and computations. The over-approximation of specific value sets is suitable for characterizing metamorphic malware families. We have tested different schemes for both finding characteristic value sets as well as for matching identifying infected files using a multidimensional sensitivity analysis. We have presented our results of 100% detection with 0 false positives.
At Caro, we would like to present that our approach is also suitable for classification of metamorphic malware and present performance data with respect to computation time. While the results in were based on a small set of only 50 files per family, more than 4000 files were used for evaluating whether the characteristic sets are unique for each family. Again, a perfect clustering of all considered families has been observed. All members of each family were identified while other families were missing characteristic value sets.