Metamorphic Malware and Obfuscation: A Survey of Techniques, Variants, and Generation Kits

<table class="table-group" id="tab3"><tr><td><table class="table"><tr><td class="thead-hr" colspan="3"><hr/></td></tr><tr class="thead"><td class="align_left"> </td><td class="align_center">Opcode</td><td class="align_center">After obfuscation</td></tr><tr><td class="thead-hr" colspan="3"><hr/></td></tr><tr><td class="align_left" rowspan="2">Version 1</td><td class="align_center">C7060F000055</td><td class="align_center">mov dword ptr [esi], 5500000Fh</td></tr><tr><td class="align_center">C746048BEC5151</td><td class="align_center">mov dword ptr [esi + 0004], 5151EC8Bh</td></tr><tr><td class="align_left" colspan="3"><hr/></td></tr><tr><td class="align_left" rowspan="9">Version 2</td><td class="align_center">BF0F000055</td><td class="align_center">mov edi, 5500000Fh</td></tr><tr><td class="align_center">893E</td><td class="align_center">mov [esi], edi</td></tr><tr><td class="align_center">5F</td><td class="align_center">pop edi</td></tr><tr><td class="align_center">52</td><td class="align_center">push edx</td></tr><tr><td class="align_center">B640</td><td class="align_center">mov dh, 40</td></tr><tr><td class="align_center">BA8BEC5151</td><td class="align_center">mov edx, 5151EC8Bh</td></tr><tr><td class="align_center">53</td><td class="align_center">push ebx</td></tr><tr><td class="align_center">8BDA</td><td class="align_center">mov ebx, edx</td></tr><tr><td class="align_center">895E04</td><td class="align_center">mov [esi + 0004], ebx</td></tr><tr><td class="align_left" colspan="3"><hr/></td></tr><tr><td class="align_left" rowspan="7">Version 3</td><td class="align_center">BB0F000055</td><td class="align_center">mov ebx, 5500000Fh</td></tr><tr><td class="align_center">891E</td><td class="align_center">mov [esi], ebx</td></tr><tr><td class="align_center">5B</td><td class="align_center">pop ebx</td></tr><tr><td class="align_center">51</td><td class="align_center">push ecx</td></tr><tr><td class="align_center">B9CB00C05F</td><td class="align_center">mov ecx, 5FC000CBh</td></tr><tr><td class="align_center">81C1C0EB91F1</td><td class="align_center">add ecx, F191EBC0h; ecx = 5151EC8Bh</td></tr><tr><td class="align_center">894E04</td><td class="align_center">mov [esi + 0004], ecx</td></tr><tr class="table-tr"><td colspan="3"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Three versions of the E32/Evol virus following obfuscation through garbage code insertion and encryption. Retrieved from [<a href="/journals/scn/2023/8227751/#B43" target="_blank">43</a>].</div>

Security and Communication Networks

tab3

Table 3

Table 3: Metamorphic Malware and Obfuscation: A Survey of Techniques, Variants, and Generation Kits 