15 What is a polymorphic virus? (Computer virus)
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
15 What is a polymorphic virus? (Computer virus)
A POLYMORPHIC virus is one that produces varied but operational copies
of itself. These strategies have been employed in the hope that virus
scanners (see D1) will not be able to detect all instances of the virus.
One method of evading scan string-driven virus detectors is self-
encryption with a variable key. These viruses (e.g. Cascade) are not
termed "polymorphic", as their decryption code is always the same.
Therefore the decryptor can be used as a scan string by the simplest
scan string-driven virus scanners (unless another virus uses the
identical decryption routine *and* exact identification (see B15) is
required).
A technique for making a polymorphic virus is to choose among a variety
of different encryption schemes requiring different decryption routines:
only one of these routines would be plainly visible in any instance of
the virus (e.g. the Whale virus). A scan string-driven virus scanner
would have to exploit several scan strings (one for each possible
decryption method) to reliably identify a virus of this kind.
More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of
instructions in their variants by interspersing the decryption
instructions with "noise" instructions (e.g. a No Operation instruction
or an instruction to load a currently unused register with an arbitrary
value), by interchanging mutually independent instructions, or even by
using various instruction sequences with identical net effects (e.g.
Subtract A from A, and Move 0 to A). A simple-minded, scan string-based
virus scanner would not be able to reliably identify all variants of
this sort of virus; rather, a sophisticated "scanning engine" has to be
constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the
"Mutation Engine" (MtE) which comes in the form of an object module.
With the Mutation Engine any virus can be made polymorphic by adding
certain calls to its assembler source code and linking to the mutation-
engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more scan strings
to simple scanners will not adequately deal with these viruses.
Continue to:
My Books
