Smita Thaker 1

Polymorphic & Metamorphic Viruses

Presented By : Smita Thaker

Dated : Nov 18, 2003

Smita Thaker 2

Agenda

• History of Viruses

• Polymorphic Viruses

• Metamorphic Viruses

• Summary and Conclusion

Smita Thaker 3

History• Encrypted viruses - To avoid detection, virus writers encrypted the main portion of the program. Viruses now had 2 parts

–Decrypted code

–Encrypted Virus Code

• Polymorphic Viruses – take different forms/shapes

• Metamorphic Viruses

Smita Thaker 4

Encryption/DecryptionDECRYPT:

mov si, OFFSET START mov di, OFFSET START mov cx, VIR_SIZE

ELP: lodsb ; al := ds:si xor al, 093H stosb loop ELP

START:

(Body of virus goes here)

Smita Thaker 5

POLYMORPHIC VIRUSES

• Definition

• Example

• How it works

• Detecting polymorphic Viruses

– Generic Decryption (GD) Technology

Smita Thaker 6

Polymorphic Viruses – What are polymorphic Viruses

• If a virus is programmed to look different each time it replicated, there would be no fixed string for anti-virus to latch onto detect it. Such a virus is known as polymorphic virus.

• Polymorphic viruses have specially designed mutation engines.

• They(M.E.) generate a new decryption routine each time, by switching the order of instructions.

Smita Thaker 7

Example:

• If the scanner were looking for the instructions mov ax, 2513H mov dx, 1307H

int 21H

One might modify the virus to instead execute this operation code

mov ax, 2513H mov dx, 1307H

xchg ax, dx int 21H

The scanner can no longer see it, and the virus can go undetected.

Smita Thaker 8

How it works

• Polymorphic viruses typically encrypt the body of the virus and front-end it with a variable decryption routine.

• Thus, the body cannot be scanned because its encrypted, and the mutation engine is capable of generating too many different decryption routines to make search-string scanning viable.

Smita Thaker 9

Polymorphic Virus Detection

• Entry point algorithms – special virus detection programs which examine the machine code at the entry-point of each file.

• Generic Decryption (GD) Technology – Run the file on a protected virtual computer– Can analyze virus body when decrypted.– GD scanner comprises of :

• CPU Emulator

• Virus Signature Scanner

• Emulation Control Module (ECM)

– Problem: How long to run each program?

Smita Thaker 10

Metamorphic Viruses

• Definition

• Example

• How it works– Some Transformations

• Metamorphic Virus Detection Techniques

Smita Thaker 11

METAMORPHIC VIRUSES

• Are body-polymorphic viruses. i.e., viruses where the body of the virus itself changes from instance to instance

Polymorphic viruses, on the other hand have a constant virus body, being encrypted with a different decryptor each instance.

Smita Thaker 12

Smita Thaker 13

Example:

Smita Thaker 14

How it works

When the virus spreads, it first undoes its current metamorphism to yield a base version of the virus, and then produces a different metamorphed version of the base code. Techniques :

• Disassembler – Depermutator – Shrinker

• Expander • Permutator • Assembler • Other transformations

Smita Thaker 15

Loop:pop ecxnopjecxz SFModMarkxor ebx, ebxbeqz N1N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2N2: jmp Loop

Loop:pop ecxjecxz SFModMarkmov esi, ecxmov eax, 0d601hpop edxpop ecxcall edijmp Loop

Loop:pop ecxnopjecxz SFModMarkxor ebx, ebxbeqz N1N1: mov esi, ecx nop mov eax, 0d601h pop edx pop ecx nop call edi xor ebx, ebx beqz N2N2: jmp Loop

Disassemble

Expand, Permutate, Assemble

A new morphed variant of the virus

Smita Thaker 16

Some Transformations• Insert jmps

#make_BIN# MOV AX, 5MOV BX, 10ADD AX, BXSUB AX, 1 HLT

#make_BIN# MOV AX, 5MOV BX, 10ADD AX, BXjmp proc_subproc_sub: SUB AX, 1 HLT

• Add redundant labelsMOV AX, 1MOV AX, 2

x1:MOV AX, 1

x2:MOV AX, 2

Smita Thaker 17

• Can insert some NOPs, XOR, ORs anywhere in the program. It doesn't affect any register values. 

NOP ;do nothing.

XOR AL, 0  OR BL, 0

Smita Thaker 18

Metamorphic Virus Detection Techniques

• Geometric Detection - based on alterations that a virus has made to the file structure.

• Use of Emulators for Tracing

Smita Thaker 19

Summary & Conclusion

Evolution of metamorphic viruses is one of the great challenges of this decade

Smita Thaker 20

References: • American Eagle Publication http://www.ameaglepubs.com/freebooks.html

• Carey Nachenberg, Computer Virus-Coevolution, ACM Digital Library, Vol 40, Issue1, Jan 1997.

• Christodorescu, M., Detecting Malicious Patterns in Executables via Model Checking (WISA Project),

• Christodorescu, M., General Purpose Binary Rewriting (WISA Project).

• Stamp, M. DEFCON 11 Trip Report

• Szor, P., Ferrie, P., Hunting for Metamorphic, Virus Bulletin Conference, September 2001