Analysis of the Zero-Day Detection of Metamorphic Malware

Abstract

Metamorphic malware is a kind of malware that modifies its source code with each new infection. The source code modification is carried out by a morphing engine that applies particular metamorphism techniques, which allows each metamorphic variant of a malware to have a unique signature, disabling signature-based detection models. Therefore, behavioral analysis becomes essential for malware detection. A behavioral analysis-based detection model trained on data from a specific morphing engine can detect new metamorphic variants produced by that same engine. However, these models often struggle with samples generated by different morphing engines, i.e. zero-day metamorphic malware. Due to the concept drift problem, which is also challenging for many classification and detection problems, many existing malware detection methods tend to underperform when tested on a dataset different from the malware dataset they were trained on. In this study, we aim to explore this issue and examine potential solutions for zero-day metamorphic malware detection using different approaches based on static analysis along with machine and deep learning techniques. We also utilize ransomware samples in order to show their contribution to metamorphic malware detection. Experiments we conducted demonstrate that zero-day metamorphic malware can be effectively detected using a straightforward and efficient model that leverages opcode sequences. © 2025 Elsevier B.V., All rights reserved.