Polymorphism

The term "polymorphism" (about Greek "mnogoformennost") in relation to computer viruses appeared approximately in 1990. Since then the polymorphism in viruses went through a set of stages of the development: from the simplest byte-by-byte xor-enciphering to the most difficult metamorphs using the most difficult algorithms, including cryptographic.

The polymorphism of a virus consists in formation of the code of a virus "on the fly" - already during execution, at the same time the procedure creating the code also can be non-constant and change at each new infection. Thus, it is possible to say that polymorphic viruses have capability completely to change itself at each new infection, forming variety of samples of the same virus.

Polymorphic viruses

Polymorphic viruse - the virus undertaking special measures for difficulty of the detection and the analysis. Has no signatures, i.e., does not contain any permanent code location. In most cases two samples of the same virus-polimorfika will not have any coincidence. It is reached due to enciphering of the main virus body and significant modification from the copy to the copy of the module-rasshifrovshchika.

Each copy of a polymorphic viruse is ciphered by the key. For enciphering of the code of a polymorphic viruse random keys and encryption algorithms can be used.

For detection of polymorphic viruses the detection algorithms which are specially developed for each polymorphic viruse are, as a rule, used.

Polymorphism levels

In classification of CARO polymorphic viruses depending on their complexity separate into several levels.

Level 1. Viruses of the first level of polymorphism use permanent values for different rasshifrovshchik. They can be detected on some permanent code locations of a rasshifrovshchik. It is accepted to call such viruses "not absolutely polymorphic", or oligomorphic (oligomorphic).

Level 2. Carry viruses which rasshifrovshchik has a constant one or several instructions to the second level of polymorphism. For example, he can use different registers, some alternative instructions in a rasshifrovshchik. Such viruses can also be recognized on a certain signature - to the set combinations of bytes in a rasshifrovshchik.

Level 3. The viruses which are using in a rasshifrovshchik of a command, not participating in deciphering of the virus code, or "command garbage" carry to the third level of polymorphism. These are such commands of the assembler as NOP, MOV AX, AX, STI, CLD, CLI, etc. These viruses can also be defined by some signature if to make elimination of all "garbage" commands.

Level 4. Viruses of the fourth level use in a rasshifrovshchik interchangeable instructions and the "mixed" instructions without change of an algorithm of deciphering. For example, the assembly command MOV AX, BX has interchangeable instructions: PUSH BX are POP AX; XCHG AX,BX; MOV CX,BX are MOV AX, CX, etc. Detecting of these viruses is possible using some touched signature.

Level 5. The fifth level of polymorphism includes properties of all listed levels, but also, the rasshifrovshchik can use different algorithms of deciphering of the virus code. For interpretation use of the master virus code, interpretation of a part of the dekriptor or several rasshifrovshchik in turn decrypting each other or directly virus code is possible. As a rule, virus detection of this level of polymorphism using a signature is impossible. If for detection of such virus the serious analysis of the code only of the rasshifrovshchik is possible, then it is necessary to make partial or complete interpretation of a virus body for treatment to take information on the infected file.

Level 6. Not encoded viruses - i.e. the viruses consisting of program units parts which "mix up" in a virus body belong to it. These viruses as "cubes", shuffle the subprogrammes (installations, infections, the processor of interruption, the analysis of the file, etc.). Such viruses still are called permutiruyushchy (permutating).

History

"Chameleon" at the beginning of 1990 became the first representative of polymorphic viruses, however the problem became more serious a bit later – in April, 1991 epidemic of "Tequila" was registered. The idea of polymorphic viruses became so popular that reached creation of generators of polymorphic virus codes – MtE became the first. Besides, the generator allowed to receive a polymorphic viruse from normal – by accession to the OBJ file of a virus of the file of the polymorphic code with identical expansion.

Actually, with the advent of generators for creation of a polymorphic viruse it was not required to know the code of an original virus – it was rather simple "feed" it to the generator, and that did all work for the beginning hacker. Afterwards polymorphic viruses became extremely popular as for their catching special mathematical algorithms of recovery of the source code of a virus, emulation performed by a virus of actions and other difficulties are required.

Generators of polymorphic viruses were also improved – in the mid-nineties it were MTE 0.90 (Mutation Engine), TPE (Trident Polymorphic Engine), four versions of NED (Nuke Encryption Device) and DAME (Dark Angel's Multiple Encryptor).

Polymorphic viruses actively developed approximately before the beginning of the 21st century, however then there was the general roll of a virusopisatelstvo towards worms and trojans. The technology of a permanent mutation of the code for detection difficulty by an anti-virus software temporarily was unclaimed.

However since about 2003 the polymorphism starts drawing attention of virus community over again. It was caused by the fact that an anti-virus software was more and more improved, and it became impossible already to use different programs-pakovshchiki which were at that time a favourite child of virus writers as instruments of concealment of the code.

See Also

• Trojan programs
• Classical file infectors
• Malware
• Rootkits

Links

• Test results of antiviruses on detection of modern polymorphic viruses
• Modern information threats, the II quarter 2006
• From history of computer viruses
• Polymorphic viruse
• Viruses, doctors and all - all all...