The war between virus writers and virus detectors has been a long one. Initially, viruses just had a constant pattern that, once the virus scanners knew about it, could be easily recognized.
Then virus writers made things more difficult by encrypting the payload. That meant that the encrypted bytes would look different with the use of different encryption keys, making the virus scanning more difficult. There was still unencrypted code that decrypted the actual virus so that it could run, so the virus scanners learned to zone in on that part of the code to recognize the virus.
And of course that was the end of the war, the virus writers gave up and we all lived happily ever after.
Yeah, right. The next stage was so-called Oligomorphic viruses, which have multiple sets of possible decryption code. So now you might have a hundred different patterns to look for.
That was bad enough, but the virus writers kept going and developed Polymorphic viruses. It's the same idea, but instead of perhaps hundreds of possible patterns, these viruses can create millions of different decryptor programs.
And then we have the Metamorphic group, where the virus payload itself is mutated from generation to generation. This is done by using different registers, inserting junk code (NOP's or just jump over it), and rearranging code segments. On machines where compilers are common (Linux, for example), this type of virus may even use the infected machine's own compiler to generate its next incarnation!
How do virus scanners deal with this mess? Well, one way is to let the virus decrypt itself using emulation and look for patterns in the result. But if the patterns are constantly different as they are in the Metamorphic type, how do you know what to look for? This is why the folks that do this kind of thing get paid well.
Read The Art of Virus Research and Defense for more.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2009-11-07 Tony Lawrence