Disassembled code analyzer for malware (DCAM)

Current static malware detection techniques have serious limitations. Little modifications can result in a new strand of malware that escapes. In this paper, we present a static detection technique using disassembly of a malware emphasizing the recognition of variants of a malware in its signature set. The hypothesis is that all variants share a common core signature that is a combination of several features of the code. In addition to malware, spyware and adware are also analyzed to find the similar features. A previously identified malware can be analyzed to extract the signature, which will then be used to recognize its variants. Since this technique uses disassembled code, it can be used on any operating system. Encouraging experimental results on a set of malware are presented. Since the existence of spyware and adware is increasing, an analysis on how this technique can be extended to detect spyware is also presented.