Get APLawrence.com by RSS2005/03/02 Oligomorphic, Polymorphic, Metamorphic Viruses
The war between virus writers and virus detectors has been a long one. Initially, viruses just had a constant pattern that, once the virus scanners knew about it, could be easily recognized.
Then virus writers made things more difficult by encrypting the payload. That meant that the encrypted bytes would look different with the use of different encryption keys, making the virus scanning more difficult. There was still unencrypted code that decrypted the actual virus so that it could run, so the virus scanners learned to zone in on that part of the code to recognize the virus.
And of course that was the end of the war, the virus writers gave up and we all lived happily ever after.
Yeah, right. The next stage was so-called Oligomorphic viruses, which have multiple sets of possible decryption code. So now you might have a hundred different patterns to look for.
That was bad enough, but the virus writers kept going and developed Polymorphic viruses. It's the same idea, but instead of perhaps hundreds of possible patterns, these viruses can create millions of different decryptor programs.
And then we have the Metamorphic group, where the virus payload itself is mutated from generation to generation. This is done by using different registers, inserting junk code (NOP's or just jump over it), and rearranging code segments. On machines where compilers are common (Linux, for example), this type of virus may even use the infected machine's own compiler to generate its next incarnation!
How do virus scanners deal with this mess? Well, one way is to let the virus decrypt itself using emulation and look for patterns in the result. But if the patterns are constantly different as they are in the Metamorphic type, how do you know what to look for? This is why the folks that do this kind of thing get paid well.
Read The Art of Virus Research and Defense for more.
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 5 | 8 | 5 | 691 | 837 |
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
UBB Computer Services Support for Openserver, Unixware and Linux. Windows integration with Unix/Linux servers. Hardware, Backup and Networking issues. Located near Sacramento CA, we provide onsite support throughout Northern CA and Nationwide via remote access. We are a SCO Authorized Partner and a Microlite BackupEdge Certified Reseller.
http://www.cleverminds.net Need expert advice? Want a second opinion? CleverMinds is a one-stop-shop for a wide range of technology solutions. We support Unix, Linux, SCO as well as CMS, ecom, blogs, podcasts, search engines consulting and more. Contact us at web2.0@cleverminds.net 0r (617) 894-1282
larryi@ccamedical.com SCO OS5, Debian Linux, RedHat Linux, MySQL, Apache, AJAX development using dXport/dL4/Unibasic, Windows Connectivity, Sharing Resouces, Automation, Shell Scripting
- Nov 30 20:25
I have 37,000 words of a 50,000 word project. I'd like to finish it this week.. - Nov 30 20:05
My wife made turkey sandwiches with stuffing and cranberry orange relish - I did not want to eat the last bite. Didn't want it to end!
Related Posts
Add your comments