Lightweight Static Analysis to Detect Polymorphic Exploit Code with Static Analysis Resistant Technique

The general method in which attackers obtain the control authority of the remote host is through the exploit code. As network security systems have mounted the desired signatures about exploits, they have reduced damage due to the spreading and reoccurrence of the exploits. However, to avoid signature-based detection techniques, exploits employing techniques such as polymorphism and metamorphism have become more prevalent. Especially in the case of polymorphism, because there are many automation engines even if there is no special knowledge in order to make various exploits easily, the polymorphism researches need to be more actively studied. We present a new static analysis method for detecting the decryption routine of polymorphic exploit code. Most of decryption routines store the program counter value of remote host on a stack and use the value as the address for accessing the memory that the encrypted original code is positioned. The proposed method traces the processing steps of decryption routine as using the static analysis method. In the results of experiment, the proposed method can detect polymorphic exploit codes that the static analysis resistant techniques are used, and shows more efficient than the emulation-based method in the processing performance.