INTRODUCTION:

Polymorphic computer viruses are the most complex and difficult viruses to detect, often requiring
anti-virus companies to spend days or months creating the detection routines needed to catch a
single polymorphic.
This white paper provides an overview of polymorphics and existing methods of detection, and

introduces Symantec’s Striker™technology, a new, patent-pending method for detecting

polymorphics.

While most people have at least heard of them, not everyone is familiar with the functionality and
technical details of a computer virus.  The truth is that no two are exactly the same and their effects vary
depending on design and implementation of code.  Some are more subtle and present an annoyance to
the user while others pose catastrophic threats capable of destroying an entire operating system.  In
either scenario, it is crucial that you take extreme measures to keep these infections away from your
computer. The polymorphic virus is one of the more complex computer threats.  During the process of
infection, it creates slightly modified, fully functional copies of itself.  This is primarily done to elude the
detection of a virus scanner as some are not able to identify different instances of an infection.  One
method it commonly uses to bypass a scanner involves self-encryption performed with a variable key.  In
order to create an effective polymorphic virus, a coder chooses from a number of different encryption
schemes that require different methods of decryption, only one of which will remain plainly visible to all
instances of the infection.  A virus scanner based on a string-driven detection would have to find many
different strings, one for each probable decryption scheme.  This is the best technique for reliably
identifying this type of virus.      

More advanced forms of the polymorphic virus alter the instruction sequences of their variants
by interspersing decryption instructions with other instructions designed to fail the process of
encryption.  It may also interchange mutually independent instructions to load inaccurate
arbitrary values such as moving "0" to "A" or replacing "A" with "B".  A basic virus scanner
would have no way to effectively identify all variants of the infection.  Even a more advanced
program has to thoroughly research this type of various and make special configurations to their
scanner in order to detect it.

A POLYMORPHIC virus is one that produces varied but operational copies

of itself. These strategies have been employed in the hope that virus
scanners (see D1) will not be able to detect all instances of the virus.

One method of evading scan string-driven virus detectors is self-

encryption with a variable key. These viruses (e.g. Cascade) are not
termed "polymorphic", as their decryption code is always the same.
Therefore the decryptor can be used as a scan string by the simplest
scan string-driven virus scanners (unless another virus uses the
identical decryption routine *and* exact identification (see B15) is
required).
A technique for making a polymorphic virus is to choose among a variety
of different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A scan string-driven virus scanner
would have to exploit several scan strings (one for each possible
decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of

instructions in their variants by interspersing the decryption
instructions with "noise" instructions (e.g. a No Operation instruction
or an instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, scan string-based
virus scanner would not be able to reliably identify all variants of
this sort of virus; rather, a sophisticated "scanning engine" has to be
constructed after thorough research into the particular virus.

The first known polymorphic virus was developed in 1990, in the early days of the Internet,
illustrating the fact that virus creators have always been ahead of the curve when it comes to
developing malicious code. Polymorphic viruses operate with the assistance of an encryption
engine which changes with each virus replication; this keeps the encrypted virus functional,
while still hiding the polymorphic virus from the computer it infects and allowing the virus to
slip through security systems which are designed to prevent malicious code from entering or
exiting a network.

Essentially, the designers of polymorphic viruses have integrated a trait associated with viruses
which infect humans into the design of their software, designed to infect computers. Human
viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup
of immunities, and when a computer virus has a similar trait, the results can be unpleasant for
computer users. It can be difficult to mount an adequate defense against a polymorphic virus,
even with excellent antivirus software which has been designed to attempt to detect such viruses.

Polymorphic viruses can operate in different ways. Some mutate with each infection, making the
virus extremely difficult to track. Others change with each generation. The speed of mutation is
also highly variable. Some viruses mutate more slowly, which can make it easier to catch them,
while others change very quickly. All of these variations, as a whole, make polymorphic viruses
very diverse, which adds to the challenge of pinning them down.

One of the most sophisticated forms of polymorphism used so far is the

"Mutation Engine" (MtE) which comes in the form of an object module.
With the Mutation Engine any virus can be made polymorphic by adding
certain calls to its assembler source code and linking to the mutation-
engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more scan strings
to simple scanners will not adequately deal with these viruses.

Kaspersky Lab announces the publication of an article titled ‘A Review of

Virus.Win32.Virut.ce’ by Vyacheslav Zakorzhevsky, a Senior Virus Analyst with Kaspersky
Lab. This is the first of a number of such articles from the recently launched Complex malicious
programs series.

The ‘ce’ variant of the polymorphic Virus.Win32.Virut is the second most prolific of all viruses
of the Virus.Win32.*.* class and is one of the most widely detected pieces of malware to be
found on users’ computers today. The virus works by infecting executable files.

In recent years, malicious programs that infect executable files have lost their popularity with
malware writers as they didn’t stand up at all well to emulation-based detection techniques.
However, the creators of Virut.ce were not put off by this and developed complex methods for
avoiding detection by using anti-emulation techniques and polymorphism.

“The Virut.ce variant is interesting for the variety of file infection mechanisms that it uses, as
well as for its polymorphism and obfuscation techniques,” writes the article’s author. “However,
its malicious payload is quite commonplace. This version of Virut was the first to combine all of
the aforementioned malicious techniques into a single piece of malware. Some malicious
programs may be heavily obfuscated, others may employ a wide range of anti-emulation
techniques, but Virut.ce combines all of these in one virus.”

The Virut.ce code changes each time the virus infects a file by using an integrated mutation
mechanism. Additionally, its creators have been known to release new variants as often as once a
week, thus circumventing successful detection. Virut.ce is the fastest-mutating virus known. It is
not just the virus body that mutates, but the decryptors as well.

Virut.ce employs the Entry Point Obscuring technique to block detection of the point at which
the jump to the virus body is made. Each time an executable file is infected, obfuscation is used
and this makes the detection problem far more complex.

Despite the malware’s obvious versatility, all of Kaspersky Lab’s products can successfully
detect and remove Virus.Win32.Virut.ce from infected computers.

When scanning files on a computer using the traditional method, antivirus products search for
specific traces of a virus – a signature. If the code of a virus that has been assigned a signature is
modified, it will no longer be possible to detect it using that signature. A polymorphic virus is
capable of performing such modifications to any of its parts.
Detecting polymorphic viruses therefore requires the use of a detection algorithm that is
specially developed for each individual virus.

The aim of this test is to assess the quality of the special algorithm function for detecting the
latest polymorphic viruses.

Moreover, because polymorphic viruses are the most difficult viruses to detect, the ability to do
so reflects the level of professionalism of an antivirus product’s developers. They not only have
to analyze the complex variants of the viruses but also develop a reliable procedure and
methodology to ensure 100% detection rates.

The following antivirus programs were tested:

1. Agnitum Outpost Security Suite Pro 2008 (VirusBuster)

2. Avast Professional Edition 4.7
3. AVG Anti-Virus Professional Edition 7.5
4. Avira Antivir Personal Edition Classic 7.06
5. BitDefender Anti-Virus 2008
6. DrWeb 4.44
7. Eset Nod32 Antivirus 3.0
8. F-Secure Anti-Virus 2008
9. Kaspersky Anti-Virus 7.0
10. McAfee VirusScan 2008
11. Microsoft Windows Live OneCare 2.0 Pre-Release
12. Panda Antivirus 2008
13. Sophos Anti-Virus 7.0
14. Symantec Anti-Virus 2008
15. Trend Micro Antivirus plus Antispyware 2008
16. VBA32 Workstation 3.12.6

The test was performed using 11 families of polymorphic viruses, each with a specific
functionality. The initial samples and resulting test collection of malware was generated in
compliance with the stated requirements.

The following families of polymorphic viruses were compiled for the test:

1. Allaple.1, Allaple.2, Allaple.3, Allaple.4

2. Alman.1, Alman.2
3. Twido.1, Twido.2
4. Virut.2, Virut.3, Virut.4

The Evolution of Polymorphic Viruses

A computer virus is a self-replicating computer program that operates without the consent of the
user. It spreads by attaching a copy of itself to some part of a program file, such as a spreadsheet
or word processor. Viruses also attack boot records and master boot records, which contain the
information a computer uses to start up. Macro viruses attack such files as word processing documents
or spreadsheets.
Most viruses simply replicate. Some display messages. Some, however, deliver a payload — a portion
of the virus program that is designed to corrupt programs, delete files, reformat a hard disk, or crash
a corporate-wide network, potentially wiping out years of data and destroying critical information.

Polymorphic Viruses
In retaliation, virus authors developed the polymorphic virus. Like an encrypted virus, a polymorphic
virus includes a scrambled virus body and a decryption routine that first gains control of the computer,
then decrypts the virus body.
However, a polymorphic virus adds to these two components a third — a mutation engine that generates
randomized decryption routines that change each time a virus infects a new program.
In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs a
program infected with a polymorphic virus, the decryption routine first gains control of the computer,
then decrypts both the virus body and the mutation engine. Next, the decryption routine transfers
control of the computer to the virus, which locates a new program to infect.
At this point, the virus makes a copy of both itself and the mutation engine in random access memory
(RAM). The virus then invokes the mutation engine, which randomly generates a new decryption
routine that is capable of decrypting the virus, yet bears little or no resemblance to any prior decryption
routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, the
virus appends this new decryption routine, along with the newly encrypted virus and mutation engine,
onto a new program.

As a result, not only is the virus body encrypted, but the virus decryption routine varies from infection
to infection. This confounds a virus scanner searching for the tell-tale sequence of bytes that identifies
a specific decryption routine.
With no fixed signature to scan for, and no fixed decryption routine, no two infections look alike.
The result is a formidable adversary.

The Scale of the Problem

The Tequila and Maltese Amoeba viruses caused the first widespread polymorphic infections in 1991.
In 1992, in a harrowing development, Dark Avenger, author of Maltese Amoeba, distributed the
Mutation Engine, also known as MtE, to other virus authors with instructions on how to use it to
build still more polymorphics.
It is now common practice for virus authors to distribute their mutation engines, making them widely
available for other virus authors to use as if they were do-it-yourself kits.
Today, anti-virus researchers report that polymorphic viruses comprise about five percent of the
more than 8,000 known viruses.
Of these, SARC reports only a small number of polymorphics “in the wild” — just 20 as of mid-
1996. Yet this represents an increase of 25 percent from 16 polymorphics in the wild in mid-1995,
a year earlier. Also, anti-virus researchers have identified 50 mutation engines. SARC reports 13
mutation engines in the wild as of mid-1996, up 30 percent in one year from 10 mutation engines
reported in the wild as of mid-1995.
Two polymorphics — One Half and Natas — rank among the 20 most-prevalent computer viruses,
according to the 1996 Computer Virus Prevalence Survey conducted by the National Computer
Security Association (NCSA).
One Half slowly encrypts a hard disk. Natas, also known as SatanBug.Natas, is highly polymorphic,
designed to evade and attack anti-virus software. It infects .COM and .EXE program files.
Polymorphic Detection
Anti-virus researchers first fought back by creating special detection routines designed to catch
each polymorphic virus, one by one. By hand, line by line, they wrote special programs designed to
detect various sequences of computer code known to be used by a given mutation engine to decrypt
a virus body.
This approach proved inherently impractical, time-consuming, and costly. Each new polymorphic
requires its own detection program. Also, a mutation engine produces seemingly random programs,
any of which can properly perform decryption — and some mutation engines generate billions upon
billions of variations.
Moreover, many polymorphics use the same mutation engine, thanks to the Dark Avenger and other
virus authors who have distributed engines. Also, different engines used by different polymorphics
often generate similar decryption routines, which makes any identification based solely on decryption
routines wholly unreliable.
This approach also leads to mistakenly identifying one polymorphic as another. These shortcomings
led anti-virus researchers to develop generic decryption techniques that trick a polymorphic virus
into decrypting and revealing itself.

Common Characteristics of Polymorphic Viruses

Polymorphic viruses of varying degrees of complexity have appeared in the past. In the anti-
virus community, polymorphism is still an active area of discussion and much disagreement.
Most researchers would agree that certain viruses are simply encryptive with a variable key. We
do not consider such beasts polymorphic since they can be recognized using simple wild card
scan strings. The number of such viruses significantly increased over the past few years as a
reaction to the worldwide availability of good signature-basedvirus scanners. Similarly, scanners
also evolved to handle such beasts using more flexible signatures that can include wild card or
don't-care values to accommodate the variable parts of the decryptors.

There are other viruses that exhibit some polymorphic behavior, though they remain
unsophisticated. Classification of such beasts is a gray area. For example, some viruses can
generate a limited number of different-looking decryptors. These do not implement a
polymorphic code generation engine, but rather pick from a pre-computed set of code fragments
that they carry along. Writing detection routines for such viruses is not too difficult.

To aid in implementing polymorphism, a random-number generator is often used. A random-

number generator provides selection of a part of the decryptor. This selection could be for
"noise" instructions that are inserted in the decryptor to render signature-based scanning
ineffective. It could also be used to select a certain addressing mode and appropriate registers.
The obvious use of random number generators is to get a seed value for encryption.

Another aspect of a polymorphic engine is the choice of instructions that actually perform the
decryption. XOR is a favorite choice. The chosen operation modifies the code to be decrypted
using an addressing mode that allows external memory access. By external, we mean outside the
processor registers. By using several instructions and many different addressing modes, a
polymorphic engine can achieve a large number of combinations of decryptors.
Usually, a loop construct is set up to step through the encrypted code. On the 80x86, many
instructions can be used to accomplish looping. The loop counter can be modified implicitly
using LOOPinstruction . Or it could be more explicit using a DEC CX, JNZ ?? combination.
Several such possibilities exist. Again, availability of different approaches increases the number
of appearances a decryptor can have. In the MtE, the loop construct was very predictable not
only because it used a specificinstruction but also because it had a characteristic that made it very
simple to recognize MtE-based decryptors. Although "appearance-based" analysis on the MtE
left many anti-virus developers in despair, a structural analysis proved to be very effective. We
doubt even the developer of MtE noticed how predictable his polymorphic engine is.

The goal of a polymorphic engine is not to leave any predictable sequence of instructions that a
virus scanner can use to simplify or optimize an appropriate detection algorithm. For example,
using the same instruction to increment the index register is too predictable. A mixture of
instructions that achieve the same result explicitly or implicitly (as in TPE) would make
detection a lot harder.

Generic Decryption
Generic decryption assumes:
• The body of a polymorphic virus is encrypted to avoid detection.
• A polymorphic virus must decrypt before it can execute normally.
• Once an infected program begins to execute, a polymorphic virus must immediately usurp control
of the computer to decrypt the virus body, then yield control of the computer to the decrypted virus.
A scanner that uses generic decryption relies on this behavior to detect polymorphics. Each time it
scans a new program file, it loads this file into a self-contained virtual computer created from RAM.
Inside this virtual computer, program files execute as if running on a real computer.
The scanner monitors and controls the program file as it executes inside the virtual computer. A
polymorphic virus running inside the virtual computer can do no damage because it is isolated from
the real computer.
When a scanner loads a file infected by a polymorphic virus into this virtual computer, the virus
decryption routine executes and decrypts the encrypted virus body. This exposes the virus body to the
scanner, which can then search for signatures in the virus body that precisely identify the virus strain.
If the scanner loads a file that is not infected, there is no virus to expose and monitor. In response
to nonvirus behavior, the scanner quickly stops running the file inside the virtual computer, removes
the file from the virtual computer, and proceeds to scan the next file.
The process is like injecting a mouse with a serum that may or may not contain a virus, and then
observing the mouse for adverse affects. If the mouse becomes ill, researchers observe the visible
symptoms, match them to known symptoms, and identify the virus. If the mouse remains healthy,
researchers select another vial of serum and repeat the process.
Outlook
To date, generic decryption has proved to be the single most effective method of detecting polymorphics.
Striker improves on this approach.
Yet it is only a matter of time before virus authors design some new, insidious type of virus that
evades current methods of detection.
Virus authors might design a polymorphic virus that decrypts half the time, for example, yet remains
dormant at other times. Anti-virus software could not reliably detect such a virus if it does not decrypt
itself every time the file is loaded into the virtual computer. In this case, a hand-coded detection
routine will be needed.
Or, imagine a host program that waits for the user to press a specific key and then terminates. A
polymorphic infecting this host might only take control just after the user enters the required keystroke.
If the user enters the keystroke, the virus runs. If not, the virus gets no opportunity to launch.
However, inside the virtual computer created by generic decryption, the program would never receive
the needed keystroke — and the virus would never have a chance to decrypt.
A small number of viruses are already resistant to detection by generic decryption. There’s no
doubt that virus authors will continue to design new viruses, using new technologies, creating new
problems. Anti-virus researchers will need to deal with these new threats, just as Striker today
delivers the solution that best protects computer users against polymorphics.
Conclusion :: This concludes the first part of this two-part series examining polymorph viruses. This
installment has looked at some early examples of polymorphism, along with some of the early
polymorphic techniques. The next article in this series will discuss the first serious polymorph macro
viruses, as well as the evolution of viruses into true polymorphs and, ultimately, metamorphic viruses.