In the paper [182], real-world metamorphic generators are tested. All but one of the generators fail to produce any significant degree of metamorphism. Viruses from each of the weak generators are easily detected using standard signature techniques. However, one metamorphic generator, known as NGVCK, does produce highly metamorphic viruses, which successfully evade signature detection by commercial virus scanners. In spite of the high degree of metamorphism NGVCK viruses are relatively easy to detect using machine learning techniques, specifically, hidden Markov models [111].

a.These results tend to indicate that the hacker community has, with rare exception, failed to produce highly metamorphic malware. Why do you suppose this is the case?

b. It might seem somewhat surprising that the highly metamorphic NGVCK viruses can be detected. Provide a plausible explanation as to why these viruses can be detected.

As I stated above, Metamorphic malware is morphed not many times, but in many different ways. However, one engine typically follows a pattern to morph its malware. Therefore, if there has been code detected from the NGVCK engine once before, you can teach machine learning software to recognize the patterns its seen previously to determine where they might exist elsewhere or even how they might progress. If multiple engines worked effectively, and they all morphed code differently every time, it would be nearly impossible to detect.

Is it possible to produce undetectable metamorphic viruses? If so, how? If not, why not?