Professional Documents
Culture Documents
Polymorphic computer viruses are the most complex and difficult viruses to detect, often requiring
anti-virus companies to spend days or months creating the detection routines needed to catch a
single polymorphic.
This white paper provides an overview of polymorphics and existing methods of detection, and
While most people have at least heard of them, not everyone is familiar with the functionality and
technical details of a computer virus. The truth is that no two are exactly the same and their effects vary
depending on design and implementation of code. Some are more subtle and present an annoyance to
the user while others pose catastrophic threats capable of destroying an entire operating system. In
either scenario, it is crucial that you take extreme measures to keep these infections away from your
computer. The polymorphic virus is one of the more complex computer threats. During the process of
infection, it creates slightly modified, fully functional copies of itself. This is primarily done to elude the
detection of a virus scanner as some are not able to identify different instances of an infection. One
method it commonly uses to bypass a scanner involves self-encryption performed with a variable key. In
order to create an effective polymorphic virus, a coder chooses from a number of different encryption
schemes that require different methods of decryption, only one of which will remain plainly visible to all
instances of the infection. A virus scanner based on a string-driven detection would have to find many
different strings, one for each probable decryption scheme. This is the best technique for reliably
identifying this type of virus.
More advanced forms of the polymorphic virus alter the instruction sequences of their variants
by interspersing decryption instructions with other instructions designed to fail the process of
encryption. It may also interchange mutually independent instructions to load inaccurate
arbitrary values such as moving "0" to "A" or replacing "A" with "B". A basic virus scanner
would have no way to effectively identify all variants of the infection. Even a more advanced
program has to thoroughly research this type of various and make special configurations to their
scanner in order to detect it.
The first known polymorphic virus was developed in 1990, in the early days of the Internet,
illustrating the fact that virus creators have always been ahead of the curve when it comes to
developing malicious code. Polymorphic viruses operate with the assistance of an encryption
engine which changes with each virus replication; this keeps the encrypted virus functional,
while still hiding the polymorphic virus from the computer it infects and allowing the virus to
slip through security systems which are designed to prevent malicious code from entering or
exiting a network.
Essentially, the designers of polymorphic viruses have integrated a trait associated with viruses
which infect humans into the design of their software, designed to infect computers. Human
viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup
of immunities, and when a computer virus has a similar trait, the results can be unpleasant for
computer users. It can be difficult to mount an adequate defense against a polymorphic virus,
even with excellent antivirus software which has been designed to attempt to detect such viruses.
Polymorphic viruses can operate in different ways. Some mutate with each infection, making the
virus extremely difficult to track. Others change with each generation. The speed of mutation is
also highly variable. Some viruses mutate more slowly, which can make it easier to catch them,
while others change very quickly. All of these variations, as a whole, make polymorphic viruses
very diverse, which adds to the challenge of pinning them down.
The ‘ce’ variant of the polymorphic Virus.Win32.Virut is the second most prolific of all viruses
of the Virus.Win32.*.* class and is one of the most widely detected pieces of malware to be
found on users’ computers today. The virus works by infecting executable files.
In recent years, malicious programs that infect executable files have lost their popularity with
malware writers as they didn’t stand up at all well to emulation-based detection techniques.
However, the creators of Virut.ce were not put off by this and developed complex methods for
avoiding detection by using anti-emulation techniques and polymorphism.
“The Virut.ce variant is interesting for the variety of file infection mechanisms that it uses, as
well as for its polymorphism and obfuscation techniques,” writes the article’s author. “However,
its malicious payload is quite commonplace. This version of Virut was the first to combine all of
the aforementioned malicious techniques into a single piece of malware. Some malicious
programs may be heavily obfuscated, others may employ a wide range of anti-emulation
techniques, but Virut.ce combines all of these in one virus.”
The Virut.ce code changes each time the virus infects a file by using an integrated mutation
mechanism. Additionally, its creators have been known to release new variants as often as once a
week, thus circumventing successful detection. Virut.ce is the fastest-mutating virus known. It is
not just the virus body that mutates, but the decryptors as well.
Virut.ce employs the Entry Point Obscuring technique to block detection of the point at which
the jump to the virus body is made. Each time an executable file is infected, obfuscation is used
and this makes the detection problem far more complex.
Despite the malware’s obvious versatility, all of Kaspersky Lab’s products can successfully
detect and remove Virus.Win32.Virut.ce from infected computers.
When scanning files on a computer using the traditional method, antivirus products search for
specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is
modified, it will no longer be possible to detect it using that signature. A polymorphic virus is
capable of performing such modifications to any of its parts.
Detecting polymorphic viruses therefore requires the use of a detection algorithm that is
specially developed for each individual virus.
The aim of this test is to assess the quality of the special algorithm function for detecting the
latest polymorphic viruses.
Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do
so reflects the level of professionalism of an antivirus product’s developers. They not only have
to analyze the complex variants of the viruses but also develop a reliable procedure and
methodology to ensure 100% detection rates.
The test was performed using 11 families of polymorphic viruses, each with a specific
functionality. The initial samples and resulting test collection of malware was generated in
compliance with the stated requirements.
The following families of polymorphic viruses were compiled for the test:
Polymorphic Viruses
In retaliation, virus authors developed the polymorphic virus. Like an encrypted virus, a polymorphic
virus includes a scrambled virus body and a decryption routine that first gains control of the computer,
then decrypts the virus body.
However, a polymorphic virus adds to these two components a third — a mutation engine that generates
randomized decryption routines that change each time a virus infects a new program.
In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs a
program infected with a polymorphic virus, the decryption routine first gains control of the computer,
then decrypts both the virus body and the mutation engine. Next, the decryption routine transfers
control of the computer to the virus, which locates a new program to infect.
At this point, the virus makes a copy of both itself and the mutation engine in random access memory
(RAM). The virus then invokes the mutation engine, which randomly generates a new decryption
routine that is capable of decrypting the virus, yet bears little or no resemblance to any prior decryption
routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, the
virus appends this new decryption routine, along with the newly encrypted virus and mutation engine,
onto a new program.
As a result, not only is the virus body encrypted, but the virus decryption routine varies from infection
to infection. This confounds a virus scanner searching for the tell-tale sequence of bytes that identifies
a specific decryption routine.
With no fixed signature to scan for, and no fixed decryption routine, no two infections look alike.
The result is a formidable adversary.
There are other viruses that exhibit some polymorphic behavior, though they remain
unsophisticated. Classification of such beasts is a gray area. For example, some viruses can
generate a limited number of different-looking decryptors. These do not implement a
polymorphic code generation engine, but rather pick from a pre-computed set of code fragments
that they carry along. Writing detection routines for such viruses is not too difficult.
Another aspect of a polymorphic engine is the choice of instructions that actually perform the
decryption. XOR is a favorite choice. The chosen operation modifies the code to be decrypted
using an addressing mode that allows external memory access. By external, we mean outside the
processor registers. By using several instructions and many different addressing modes, a
polymorphic engine can achieve a large number of combinations of decryptors.
Usually, a loop construct is set up to step through the encrypted code. On the 80x86, many
instructions can be used to accomplish looping. The loop counter can be modified implicitly
using LOOPinstruction . Or it could be more explicit using a DEC CX, JNZ ?? combination.
Several such possibilities exist. Again, availability of different approaches increases the number
of appearances a decryptor can have. In the MtE, the loop construct was very predictable not
only because it used a specificinstruction but also because it had a characteristic that made it very
simple to recognize MtE-based decryptors. Although "appearance-based" analysis on the MtE
left many anti-virus developers in despair, a structural analysis proved to be very effective. We
doubt even the developer of MtE noticed how predictable his polymorphic engine is.
The goal of a polymorphic engine is not to leave any predictable sequence of instructions that a
virus scanner can use to simplify or optimize an appropriate detection algorithm. For example,
using the same instruction to increment the index register is too predictable. A mixture of
instructions that achieve the same result explicitly or implicitly (as in TPE) would make
detection a lot harder.
Generic Decryption
Generic decryption assumes:
• The body of a polymorphic virus is encrypted to avoid detection.
• A polymorphic virus must decrypt before it can execute normally.
• Once an infected program begins to execute, a polymorphic virus must immediately usurp control
of the computer to decrypt the virus body, then yield control of the computer to the decrypted virus.
A scanner that uses generic decryption relies on this behavior to detect polymorphics. Each time it
scans a new program file, it loads this file into a self-contained virtual computer created from RAM.
Inside this virtual computer, program files execute as if running on a real computer.
The scanner monitors and controls the program file as it executes inside the virtual computer. A
polymorphic virus running inside the virtual computer can do no damage because it is isolated from
the real computer.
When a scanner loads a file infected by a polymorphic virus into this virtual computer, the virus
decryption routine executes and decrypts the encrypted virus body. This exposes the virus body to the
scanner, which can then search for signatures in the virus body that precisely identify the virus strain.
If the scanner loads a file that is not infected, there is no virus to expose and monitor. In response
to nonvirus behavior, the scanner quickly stops running the file inside the virtual computer, removes
the file from the virtual computer, and proceeds to scan the next file.
The process is like injecting a mouse with a serum that may or may not contain a virus, and then
observing the mouse for adverse affects. If the mouse becomes ill, researchers observe the visible
symptoms, match them to known symptoms, and identify the virus. If the mouse remains healthy,
researchers select another vial of serum and repeat the process.
Outlook
To date, generic decryption has proved to be the single most effective method of detecting polymorphics.
Striker improves on this approach.
Yet it is only a matter of time before virus authors design some new, insidious type of virus that
evades current methods of detection.
Virus authors might design a polymorphic virus that decrypts half the time, for example, yet remains
dormant at other times. Anti-virus software could not reliably detect such a virus if it does not decrypt
itself every time the file is loaded into the virtual computer. In this case, a hand-coded detection
routine will be needed.
Or, imagine a host program that waits for the user to press a specific key and then terminates. A
polymorphic infecting this host might only take control just after the user enters the required keystroke.
If the user enters the keystroke, the virus runs. If not, the virus gets no opportunity to launch.
However, inside the virtual computer created by generic decryption, the program would never receive
the needed keystroke — and the virus would never have a chance to decrypt.
A small number of viruses are already resistant to detection by generic decryption. There’s no
doubt that virus authors will continue to design new viruses, using new technologies, creating new
problems. Anti-virus researchers will need to deal with these new threats, just as Striker today
delivers the solution that best protects computer users against polymorphics.
Conclusion :: This concludes the first part of this two-part series examining polymorph viruses. This
installment has looked at some early examples of polymorphism, along with some of the early
polymorphic techniques. The next article in this series will discuss the first serious polymorph macro
viruses, as well as the evolution of viruses into true polymorphs and, ultimately, metamorphic viruses.