The Evolution of Virus Encryption
Understand the dangerous evolution of virus code from oligomorphic to polymorphic.
January 12, 2003
Virus writers understand that their creations won't spread far if antivirus scanners can easily detect them. Early attempts at simple encrypting viruses encrypted the virus's code, but then scanners started detecting the static decryption routine. Virus authors responded by configuring their creations to choose between many different encryption/decryption routines—a behavior known as oligomorphism. The response among antivirus vendors was to introduce a wildcard scan approach to detect oligomorphic viruses.
Virus writers then made their encryption/decryption routines random—or polymorphic. The first polymorphic virus—the Dark Avenger's Mutation Engine (MtE)—debuted in 1992. MtE permitted one virus to have millions of different-looking decryption engines. The release of MtE led to the demise of several antivirus vendors that never discovered a way to reliably detect polymorphic code. The vendors that have survived implemented emulated environments and advanced analysis logic specifically for detecting polymorphic instructions.
The next generation of randomly encrypting code was called metamorphism. Metamorphic viruses can change their own code on the fly. They exchange instructions randomly through the virus and host body, pick up random "garbage" instructions, change their location in the host's body, and in some cases can appear to be a completely different virus from the parent infection. Only a great scanning engine, supported by advanced antivirus research, can detect metamorphic code. A very real risk is that polymorphic and metamorphic code will eventually advance to the point at which virus scanners won't be able to reliably detect malicious software.
About the Author
You May Also Like