In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious file. For example, a malware author may create a unique version of a malicious file for each intended target by repacking (i.e., compressing, encrypting, and/or otherwise obfuscating) the file on a server before distributing the same. The malware author may even automate this process using a polymorphic packer and/or obfuscator engine. Unfortunately, because many existing antivirus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by only distributing new (i.e., unique), repacked versions of malicious files.
In order to detect whether an executable file is a sample of a polymorphic malware strain, anti-virus vendors may create detection routines for decrypting portions of the executable file and locating one or more signatures of the polymorphic malware strain in the decrypted data. Since the application of such detection routines may be computationally expensive, anti-virus engineers may also hand-code initial detection routines for filtering out executable files that are unlikely to represent variants of a polymorphic malware strain. Unfortunately, a polymorphic packer engine may subsequently generate a variant of a polymorphic malware strain that the initial detection routine miscategorizes, requiring anti-virus engineers to spend time rehabilitating or rewriting the initial detection routine. Accordingly, the instant disclosure identifies a need for additional and improved systems and methods for identifying polymorphic malware.