Polymorphism viruses

Dev Shed Forums Sponsor:

July 3rd, 2005, 11:43 PM

abalfazl

Registered User

Join Date: Oct 2004

Posts: 18

Time spent in forums: 6 h 38 m 40 sec
Reputation Power: 0

Polymorphism viruses

Hello firends

Form this site:
http://www.tcd.ie/ITSecurity/virus/faq.php

Quote:

One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.

It isn't clear to me encryption and dycryption process of a virus.

Quote:

A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.

Please explain more about this.

It is said about MtE

Quote:

It comes in the form of an object module.

What does it mean by "object module" here?

It is said about anitiviruses:

Quote:

adding more and more search strings to simple scanners will not adequately deal with these viruses.

Anyone explain more about this please?

Of course I think this is another nice site about this subject:

http://www.informit.com/articles/article.asp?p=366890&seqNum=5&rl=1

July 4th, 2005, 12:35 AM

oneMSBi

CAUTION: Loderator Moose

Join Date: Nov 2004

Location: some starry place (india)

Posts: 3,431

Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160

From the same website you quoted:

Quote:

A polymorphic virus is one that produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus.

One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine).

In general Virii/worms are encrypted in order to hide their working from Antivirus scanners and security experts. but in order to execute on a system the virii must be decrypted into normal binary code that can be processed by the target operating system. In the case of 'regular' virii each copy of the virus will be ecrypted by the same Encryption process, and hence use the same Decryption process. Inorder to complicate the encryption futher, these virii will use different salt values to begin the encrytion process of the various copies of it self, that it spawns. The thing to note is the encryption technique and hence the decryption technique remains the same.

In the case of polymorphic virus, the very encryption process varies with each copy made. Thus if i were to find a particular instance of a virus and decrypt it somehow, i would have only figured out one encrytion process.... any other instances of the virus will have an entirely different encrytion. This makes it easier for such virii to ellude pattern/signature memory scans.

A little history...

Quote:

Virus writers understand that their creations won't spread far if antivirus scanners can easily detect them. Early attempts at simple encrypting viruses encrypted the virus's code, but then scanners started detecting the static decryption routine. Virus authors responded by configuring their creations to choose between many different encryption/decryption routines—a behavior known as oligomorphism. The response among antivirus vendors was to introduce a wildcard scan approach to detect oligomorphic viruses.

Virus writers then made their encryption/decryption routines random—or polymorphic. The first polymorphic virus—the Dark Avenger's Mutation Engine (MtE)—debuted in 1992. MtE permitted one virus to have millions of different-looking decryption engines. The release of MtE led to the demise of several antivirus vendors that never discovered a way to reliably detect polymorphic code. The vendors that have survived implemented emulated environments and advanced analysis logic specifically for detecting polymorphic instructions. . . .

This site has a good explantion of things http://www.antivirusworld.com/artic...puter-virus.php

Ok your second question is a little harder to explain. Let me try this with the help of an example. Let me say: that my task is to Change a light buld. I can for example:
1) stand up and change the light bulb.
2) But i can also standup, rub my hands together and then change the light bulb,
3) or i can rub my hands together and then stand up and chnage the light bulb.

The point i am trying to get acroos here is that each of these sequence of steps has the same outcome (bulb changed) but yet they differ. Hence in computing terms what virii do, is they insert operations which have no consequence (no ops: me rubbing my hands has no effect on changing a bulb) on the outcome, at random in the encryption process. The virus will probably have a list of such no-ops and the locations at which they can be safely inserted. The selection of these no ops at random for insertion at various points changes the memory signature of the viri, hence to a AV scanner each process looks fundamentally different. Detection now becomes difficult.

Another technique is to use differnt paths to achieve the same goal but each operation has weight. to give an example: To go from New york to Paris i could fly via london, or via Dublin. The goal is the same but the path is different.

I think if you have understood what i have been trying to explain you will understand this line now, which refers to the drawbacks of current AV software scanning techniques.

Quote:

adding more and more search strings to simple scanners will not adequately deal with these viruses.

Since polymorphic virii have different memory patterns for each instance/copy searching for particluar bit/character string is an inefective way of detection.

now this question:

Quote:

It comes in the form of an object module.

.... this is a very very vague question. You have to understand basic Object oriented programming for this. I think if you google this with key words like "Object Oriented Programming concepts" you might find the topics you are looking for.

Here's a start

http://msdn.microsoft.com/library/d...assconcepts.asp

__________________
Nigel
..Seeking code free nirvana...
Nigel Fernandes Blog
Never argue with fools. They will bring you down to their level and beat you with experience.

Manchester United Forever

Last edited by oneMSBi : July 4th, 2005 at 01:32 AM.

July 4th, 2005, 01:35 PM

abalfazl

Registered User

Join Date: Oct 2004

Posts: 18

Time spent in forums: 6 h 38 m 40 sec
Reputation Power: 0

Happy birthday to you

Hello

Happy birthday to you

Quote:

Ok your second question is a little harder to explain. Let me try this with the help of an example. Let me say: that my task is to Change a light buld. I can for example: 1) stand up and change the light bulb. 2) But i can also standup, rub my hands together and then change the light bulb, 3) or i can rub my hands together and then stand up and chnage the light bulb. The point i am trying to get acroos here is that each of these sequence of steps has the same outcome (bulb changed) but yet they differ. Hence in computing terms what virii do, is they insert operations which have no consequence (no ops: me rubbing my hands has no effect on changing a bulb) on the outcome, at random in the encryption process. The virus will probably have a list of such no-ops and the locations at which they can be safely inserted. The selection of these no ops at random for insertion at various points changes the memory signature of the viri, hence to a AV scanner each process looks fundamentally different. Detection now becomes difficult. Another technique is to use differnt paths to achieve the same goal but each operation has weight. to give an example: To go from New york to Paris i could fly via london, or via Dublin. The goal is the same but the path is different.

May you explain this by some programming?

Thanks for your answer

July 6th, 2005, 04:22 PM

oneMSBi

CAUTION: Loderator Moose

Join Date: Nov 2004

Location: some starry place (india)

Posts: 3,431

Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160

Quote:

Originally Posted by abalfazl

Hello

Happy birthday to you

May you explain this by some programming?

Thanks for your answer

hehe.. thanks for the wishes. Ok code.. umm.. i can give you some highlevel C code.. but in truth, such things are normally done at the assembly level,.. since its just to explain the concept... no probs.. but this is beginning to sound like a homework question to me...

ok code to explain the use of no-ops

see the following code will hello world on the screen but the compostition of the string is pseudo randomly chosen. It has not bearing on the outcome of the program but it does alter the memory map of the code. If you replace the random array i ahve created by a pointer to say any text file on the Harddisk.. the possible memeory maps are endless.

Code:

Pseudocode:

extern long	lrand48(void);
#define		random()	lrand48()
#else
extern int	random(void);
#endif

static int  count    = 0;
static char *fruit[] = { "apple", "pineapple", "banana", "tomato", "plum" };

static void printmessage()
{
    char	frame[256];
    int		length=0;

    sprintf(frame, "message %d is %s", lenght, fruit[random()%NFRUITS]);
    length	= strlen(frame) + 1;

    printf("Hello world");
}

This is a very very simplistic example and only to explain the use of ops that will have no bearing on the program. In actuality.. we would work at the assembly level, and you would probably just place a garbage avlue in an unused register, or simply OR two registers and store the result in an unused register.

To explaint he mothod of using various paths to the same goal.. i would have to craft a more complicated example and i dont have the time for this.. but maybe someone else would be willing to stop by and help out

If you need help understanding such concepts then i think you are better off seeking help in the beginners programming forum here at devshed.

July 7th, 2005, 12:53 AM

abalfazl

Registered User

Join Date: Oct 2004

Posts: 18

Time spent in forums: 6 h 38 m 40 sec
Reputation Power: 0

Thanks

Hello

It seems code of a polymorphism virus changes regularly.

Then how to detect it?

July 7th, 2005, 11:39 AM

oneMSBi

CAUTION: Loderator Moose

Join Date: Nov 2004

Location: some starry place (india)

Posts: 3,431

Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 160

It seems i am doing your homework for you .....

Thats exactly it. The whole concept of polymorphic virii arose to defeat conventional AV scanners. the way to beat them would be to develop much more sophisticated "scanning engines" which use heuristic/emmulation techniques and AI to detect the presence of virii. Try a google on polymorphic virii and detection and see what turns up.

Quote:

Polymorphic viruses were created with the explicit intent of being able to adapt and reproduce in ways other than simple cloning. These viruses contain a form of artificial intelligence. A good analogy for a polymorphic virus would be a chameleon. The chameleon is able to change its outward appearance but not the fact that it is a chameleon.

The virus engine can combine basic pattern matching techniques with heuristics - a technique using general rather than specific rules - to detect several viruses in the same family, even though researchers might have analyzed only one virus in that family. The technique allows a single description to be created which will catch several variants of one virus. Researchers temper heuristics with other methods, minimizing the incidence of false positives.

Emulation is a technique applied by the virus engine to polymorphic viruses. The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic macro viruses are found by detection code written in what is generally proprietry Virus Description Languages (depending on the AV software vendor).

Since Polymorphic viruses are encrypted viruses which modify themselves in an effort to hide themselves, there is no visible constant virus code and the virus encrypts itself differently each time it spreads. BUT When it runs, it decrypts itself. It is the output of this decryption which is the real virus code and it is this which is detected by the virus detection engine after running in the emulator.

Executables are sent to the engine for scanning are run inside the emulator which tracks the decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few instructions, which reduces overheads.

Because the emulator runs in a restricted area, if the code does turn out to be a virus, it does not infect the computer.

Try the following links for for more information on AV scanning:
http://www.networkassociates.com/us...scan_engine.pdf
http://cse.stanford.edu/class/cs201...anti-virus.html