Metaware — An extensible malware detection and removal toolkit

Malicious code is a threat to computer security globally. The threat is evolving and leaving challenges for security specialists to improve the detection accuracy. Hence, it is imperative to optimize the traditional manual analysis method by automatic malicious code analysis system. Automatic protocol reverse-engineering is important for many security applications, including the verification of objects and detections of malware. In this paper, we propose a new approach to computer security via automating malware analysis. This project uses combination of auto-unpacked, heuristic, disassembler and emulator techniques to find and block malicious program before the malicious software executed locally. Auto-unpacked contains self-decryption algorithms, where the script codes help quickly decipher script bodies for further analysis. Heuristic analysis is designed to analyze disassemble code contain within a suspicious program. The disassemble code of the suspicious file is compared with a known virus signature database. If the disassemble code matches with the code of the database signature, the file is flagged. The emulator is design to scans code, imitates the way they are executing, and monitoring their actions, preventing any actual damage from being dealt to the computer system or user data. Verdicts on whether or not a program poses a threat are issued based on the results of behaviour analyses. The emulator makes it possible to find malicious code that are intentionally masked to prevent detection using encryption and obfuscated code. Overall, we present our motivation for designing the system and give an overview of the system architecture.