2005/03/02 Oligomorphic, Polymorphic, Metamorphic Viruses
The war between virus writers and virus detectors has been a long
one. Initially, viruses just had a constant pattern that, once
the virus scanners knew about it, could be easily recognized.
Then virus writers made things more difficult by encrypting the
payload. That meant that the encrypted
bytes would look different with the use of different encryption
keys, making the virus scanning more difficult. There was
still unencrypted code that decrypted the
actual virus so that it could run, so the virus scanners learned
to zone in on that part of the code to recognize the virus.
And of course that was the end of the war, the virus writers gave up
and we all lived happily ever after.
Yeah, right. The next stage was so-called Oligomorphic
viruses, which have multiple sets of possible decryption code.
So now you might have a hundred different patterns to
That was bad enough, but the virus writers kept going and developed
Polymorphic viruses. It's the same idea, but instead of perhaps
hundreds of possible patterns, these viruses can create millions
of different decryptor programs.
And then we have the Metamorphic group, where the virus payload
itself is mutated from generation to generation. This is done by
using different registers, inserting junk code (NOP's or just
jump over it), and rearranging code segments. On machines
where compilers are common (Linux, for example), this type of
virus may even use the infected machine's own compiler to
generate its next incarnation!
How do virus scanners deal with this mess? Well, one way is
to let the virus decrypt itself using emulation and look
for patterns in the result. But if the patterns are constantly
different as they are in the Metamorphic type, how do you
know what to look for? This is why the folks that do this kind of
thing get paid well.
Read The Art of Virus Research and Defense for more.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Tony Lawrence
Find me on Google+
© 2009-11-07 Tony Lawrence