APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/03/02 Oligomorphic, Polymorphic, Metamorphic Viruses


Some material is very old and may be incorrect today

© March 2005 Tony Lawrence

The war between virus writers and virus detectors has been a long one. Initially, viruses just had a constant pattern that, once the virus scanners knew about it, could be easily recognized.

Then virus writers made things more difficult by encrypting the payload. That meant that the encrypted bytes would look different with the use of different encryption keys, making the virus scanning more difficult. There was still unencrypted code that decrypted the actual virus so that it could run, so the virus scanners learned to zone in on that part of the code to recognize the virus.

And of course that was the end of the war, the virus writers gave up and we all lived happily ever after.

Yeah, right. The next stage was so-called Oligomorphic viruses, which have multiple sets of possible decryption code. So now you might have a hundred different patterns to look for.

That was bad enough, but the virus writers kept going and developed Polymorphic viruses. It's the same idea, but instead of perhaps hundreds of possible patterns, these viruses can create millions of different decryptor programs.

And then we have the Metamorphic group, where the virus payload itself is mutated from generation to generation. This is done by using different registers, inserting junk code (NOP's or just jump over it), and rearranging code segments. On machines where compilers are common (Linux, for example), this type of virus may even use the infected machine's own compiler to generate its next incarnation!

How do virus scanners deal with this mess? Well, one way is to let the virus decrypt itself using emulation and look for patterns in the result. But if the patterns are constantly different as they are in the Metamorphic type, how do you know what to look for? This is why the folks that do this kind of thing get paid well.

Read The Art of Virus Research and Defense for more.


If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> 2005/03/02 Oligomorphic, Polymorphic, Metamorphic Viruses


Inexpensive and informative Apple related e-books:

Take control of Apple TV, Second Edition

Take Control of Automating Your Mac

Take Control of Parallels Desktop 12

Take Control of Apple Mail, Third Edition

El Capitan: A Take Control Crash Course





More Articles by © Tony Lawrence





Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





640K ought to be enough for anybody. (Bill Gates)




Linux posts

Troubleshooting posts


This post tagged:

Malware

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode