A Technical Seminar Project on

“Polymorphic virus”
A Technical Seminar Report Submitted in partial fulfillment of

The experiments for the event of the degree of

BACHELOR OF TECHNOLOGY
in

COMPUTER SCIENCE AND ENGINEERING

Submitted by

K.v.v. Satya Ravi

(16MH1A0587)
Under the esteemed guidance of

Dr. B. ANNAPURNA

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

ADITYA COLLEGE OF ENGINEERING

(Affiliated to JNTUK, Kakinada & Approved by AICTE, New Delhi)

Surampalem, ADB Road, E.G .Dt, A.P-533437

2016-2020
 ABSTRACT

In this document, virus, types of virus and

implementation for identification of virus are discussed.
Now-a-days, crime rate is increased in computer
security or cyber security. In this document, I am
explaining majorly about background working of virus
and how they are created.

Virus are nothing, they are also software programmed

codes to do unauthorized actions like deleting,
encrypting, modifying data. They are created by some
high professional programmers whose intention is to do
some unethical activities. They have more knowledge
about antivirus means, they will create stealth virus
which cannot be detected by anti virus software. This
virus can be spread without our notice to others
through various ways.
 COMPUTER SECURITY: Polymorphic virus

Index
Security: virus & prevent
->How does anti-virus detect viruses?
->detection methods
->Heuristic analysis
->working of heuristic analysis

Types of virus :
->Polymorphic Virus
- about polymorphic virus
- implementation
- examples
- metamorphic virus
- difference between polymorphic and metamorphic virus
SECURITY
Computer security, cyber security or information technology
security is the protection of computer systems from the theft of or
damage to their hardware, software, or electronic data, as well as
from the disruption or misdirection of the services.

Here I am explaining about virus how it will effect our computer or

systems. Before explaining that we have to know what is virus and
there are different types of viruses and attacks.
virus
A virus is a type of computer program that, when
executed, replicates itself by modifying other computer
programs and inserting its own code. When this replication
succeeds, the affected areas are then said to be "infected"
with a computer virus.

Prevent:
to prevent we have to use some antivirus softwares (or) malware
software. keep Your Anti-Virus Software Up to Date. Run Regularly
Scheduled Scans with Your Anti Virus Software. secure Your
Network because most of virus spread from email in 2000 year
before most of computer are attacked due to macro virus.

How do anti-virus detect viruses?

Heuristic-based detection uses an algorithm to compare the
signatures of known viruses against potential threats. With
heuristic-based detection, antivirus software can detect
viruses that haven't been discovered yet, as well as already
existing viruses that have been disguised or modified and
released as new viruses.

Virus signature
A virus signature is the fingerprint of a virus. It is a set of
unique data, or bits of code, that allow it to be identified.
Antivirus software uses a virus signature to find a virus in a
computer file system, allowing to detect, quarantine, and
remove the virus.

Detection methods:

1.) heuristic analysis

2.) signature based detection
3.) anomaly-based detection
4.) intrusion detection

There are so many methods are used in detection but most

some anti-virus commonly these methods.
Now I am explain about first heuristic analysis method which
majorly in used in kaspersky antivirus software.

What is Heuristic Analysis?

Heuristic analysis is a method of detecting viruses by
examining code for suspicious properties.
Traditional methods of virus detection involve identifying
malware by comparing code in a program to the code of
known virus types that have already been encountered,
analyzed and recorded in a database – known as signature
detection.
While useful and still in use, signature detection method has
also became more limited, due to the development of new
threats which exploded around the turn of the century and
are continuing to emerge all the time.
To counter this problem, the heuristic model was specifically
designed to spot suspicious characteristics that can be found
in unknown, new viruses and modified versions of existing
threats as well as known malware samples.

Cybercriminals are constantly developing new threats, and

heuristic analysis is one of the only methods used to deal
with the huge volume of these new threats seen daily.

Heuristic analysis is also one of the few methods capable of

combating polymorphic viruses — the term for malicious
code that constantly changes and adapts. Heuristic analysis is
incorporated into advanced security solutions offered by
companies like Kaspersky Labs to detect new threats before
they cause harm, without the need for a specific signature.
How Does Heuristic Analysis Work?
Heuristic analysis can employ a number of different
techniques. 1.)Static heuristic analysis 2.)dynamic heuristic
analysis
Static heuristic analysis:-it involves decompiling a suspect
program and examining its source code. This code is then
compared to viruses that are already known and are in the
heuristic database. If a particular percentage of the source
code matches anything in the heuristic database, the code is
flagged as a possible threat.
Dynamic heuristics:-When scientists want to analyze
something suspicious without endangering people, they
contain the substance in a controlled environment like a
secure lab and conduct tests. The process is similar for
heuristic analysis — but in a virtual world.
It isolates the suspicious program or piece of code inside a
specialized virtual machine — or sandbox — and gives the
antivirus program a chance to test the code and simulate
what would happen if the suspicious file was allowed to run.
It examines each command as it's activated and looks for any
suspicious behaviors, such as self-replication, overwriting
files, and other actions that are common to viruses.
Potential Issues
Heuristic analysis is ideal for identifying new threats, but to
be effective heuristics must be carefully tuned to provide the
best possible detection of new threats but without
generating false positives on perfectly innocent code.
For this reason, heuristic tools are often typically just one
weapon in a sophisticated antivirus arsenal. They are
typically deployed along with other methods of virus
detection, such as signature analysis and other proactive
technologies.

Different types of virus:

1. Polymorphic Virus
2. Metamorphic Virus
3. Boot Sector Virus
4. Macro Virus
5. Network Virus
6. Encrypted Virus
7. Multipartite Virus
8. Resident Virus
9. Others
Polymorphic virus
A Polymorphic Virus has the ability to change or mutate its
underlying code without changing its basic functions or features.
This enables the virus on a computer or network to evade
detection even from the best antivirus or virus protection
programs.

A polymorphic virus is a complicated computer virus. It is

encrypted with a variable encryption key. Therefore, each copy of
the virus is different from others. In other words, it is a self-
encrypted virus designed to avoid detection by an anti-virus
software or scanner.

Polymorphic viruses can be detected using two techniques.

They are the entry point algorithm and the generic description
technology.

The entry point algorithm uses a special virus detection program

to check the machine code at the entry point of each file.

The generic description technology runs the file on a protected

virtual computer.

Polymorphism is an object-oriented programming concept

that refers to the ability of a variable, function or object to
take on multiple forms. A language that
features polymorphism allows developers to program in
the general rather than program in the specific.
Implementation:-
Custom x64 encoder with a basic polymorphic engine
implementation:-

A pentester from his blog created python encoder that

will XOR the payload, byte by byte, with a randomly
generated byte value, and also generate a polymorphic
stub in x64 to decode that payload, by brute-forcing all
256 possibilities. Even though bypassing anti-virus
systems is not the only purpose of encoders, it
certainly is the most exciting one, and hence the
detailed focus on this one subject throughout this post
in his blog .now I am explaning about polymorphic
engine based on python code with output.

So what are encoders? Encoders are shellcode made

of two distinct parts:

Decoder structure
The first is called the stub, and it’s the code responsible to
decode the second part, the payload. An example is a XOR
encoder, in which you xor the payload byte by byte with the
value 0xAA, and you then write the stub which will just run
through the payload, byte by byte, xor it with 0xAA, and
then execute the decoded payload.
For the sake of simplicity, the encoding of the payload is
usually done in a high level programming language, such as
Python, while the decoder, obviously being done in x64
assembly, because that’ll be the actual shellcode.

The stub’s algorithm – brute force:

A method stub or simply stub in software development is a piece

of code used to stand in for some other programming functionality.
A stub may simulate the behavior of existing code (such as a
procedure on a remote machine, such methods are often called
mocks) or be a temporary substitute for yet-to-be-developed code

Now we excuting sample code in assembly level language

(without polymorphism)
But let’s first take a look at a first draft of this encoder (without polymorphism):
draft #1 of decoder (without polymorphism)

Note:-
“\x90\x6a\x3b\x58\x48\x2f\x73\x68\x6a\x6e\x53\x54\x5f
\x52\x54\x5e” are hexa decimal decoder.

Now execute the following code in assembly language

(without polymorphism):
in Linux he use open source antivirus named as CLAMAV
 DETECTED

Polymorphic engine:- Polymorphism, in this context, is

nothing but altering the instructions (signature) of the
code, while still doing the exact same thing.

At this point, the entire focus is in the encoder’s Python

code, which will be (contrary to common encoders)
generating the x64 ASM decoder code itself: decoder.nasm
which makes sense, since this code will be different every
time it’s generated.

At this point, the entire focus is in the encoder’s Python

code, which will be (contrary to common encoders)
generating the x64 ASM decoder code itself: decoder.nasm
which makes sense, since this code will be different every
time it’s generated.
 Shell code attached to the signature byte:0*90

Decoder with polymorphic generation

 Polymorphic algorithm implemented

The core of the code generation here is the poly (..) function

Output:
./encoder.py
# nasm -felf64 decoder.nasm -o decoder.o && ld decoder.o -o
decoder
 Not detected
# ./encoder.py
# nasm -felf64 decoder.nasm -o decoder.o && ld decoder.o -o
decoder
# for i in `objdump -d decoder | tr ‘\t’ ‘ ‘ | tr ‘ ‘ ‘\n’ | egrep ‘^[0-9a-
f]{2}$’ ` ;
\xeb\x47\x48\x8b\x3c\x24\x48\x83\xc4\x08\x48\x89\xfb\x8x11\x1b
# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

Executing shellcode.c compilication (not compulsory)

Example:-

Polymorphic viruses are usually distributed via spam,

infected sites, or through the use of other malware.
URSNIF, VIRLOCK, VOBFUS, and BAGLE or UPolyX are some
of the most notorious polymorphic viruses in existence.
When combined with other malicious routines,
polymorphic viruses pose even greater risk to its victims.

VIRLOCK:-
First Self-Reproducing Ransomware is also a Shape Shifter.
Win32/VirLock is ransomware that locks victims’ screens
but also acts as parasitic virus, infecting existing files on
their computers. The virus is also polymorphic, which
makes it an interesting piece of malware to analyze. This is
the first time such combination of malware features has
been observed.

URSNIF:-

Ursnif, which is also known as Gozi ISFB, is an offspring of the

original Gozi banking Trojan that got its source code leaked
online during 2014 and on which a lot of other banking
Trojan strains were built, such as GozNym.
VOBFUS:
Win32/Vobfus is a family of worms that spreads via
removable drives and downloads other malware, and a
family that is causing people a lot of pain lately. Vobfus was
initially discovered in September 2009 and became prevalent
with its use of the MS10-046 .LNK vulnerability. The .LNK
vulnerability has also been used by Chymine, Sality, and Zbot,
though it is no longer used by Vobfus.

BAGLE:
Bagle (also known as Beagle) was a mass-mailing
computer worm affecting Microsoft Windows. The first
strain, Bagle. A, did not propagate widely. A second
variant, Bagle. B, was considerably more virulent.

Metamorphic virus:
A metamorphic virus is a type of malware that is capable of
changing its code and signature patterns with each
iteration. Metamorphic viruses are considered to be more
advanced threats than typical malware or even
polymorphic viruses.

The metamorphic virus is also not similar to polymorphic

virus. we can see differences between metamorphic
virus and polymorphic virus.