Sometimes ago I had finished the book about computer viruses and anti-viruses. This short article is just a summary of my recordings. Moreover, it is a translate from Russian to English(the book is in the Russian). I’ve got a lot of fun. Great work of the author, thanks a lot for it. ( Климентьев К.Е. “Компьютерные вирусы и антивирусы: взгляд программиста” – link to order).
I would like to talk about common technologies that use in some viruses, such as Win32.Zmist andWin32.MetaPHOR and etc. I am not a malware guy and don’t want to describe all stuff about internals, but just rewrite some concepts of those two from the book and other sources. Because viruses just use approaches of those two. Look:
- RPME – Real Permutation Engine
- UEP – Unknown Entry Point (same as EPO) : this method inserts first commands (entry point of a virus) inside of the middle of an original program.
- ETG – Executable Trash Generator : this method generates trash commands to hide original commands of a virus inside of a program.
- MistFall – mixing code of program and virus
- disassembler – this creates disassembly code of a program.
Let’s explore some principles.
The first known encrypted computer virus, Cascade, was appeared in 1987. Commonly encrypted malware consist of two sections: main body and decryption algorithm. Decryptor has a responsibility to encrypt and decrypt of the main body of the virus. Before this process, the main body is not meaningful and valuable. Encryption of code can be carried out via different approaches. One of them is sequentially transforming bytes. And ok virus scanners cannot find out a signature of a virus, but it is still possible to identify a signature of decrypting part or decryptor.
Oligomorphic virus is also called as semi polymorphic. It was an attempt to make the decryptor loop of encrypted virus different appearance in each new infection. Oligomorphism is an advanced form of the encryption. It contains a collection of different decryptors, which are randomly selected for each victim. In such a way, the decryptor code is not identical in various instances. The first known oligomorphic virus was the Whale, a DOS virus that appeared in 1990.
Polymorphic technology (engine) is a computer program that can be used to transform a program into a subsequent version that consists of different code yet operates with the same functionality. For example, 3+1 and 6-2 both achieve the same result, yet use completely different code. And polymorphic code uses this engine to mutate while keeping original algorithm intact. The first polymorphic virus, 1260, a virus of the chameleon family appeared by 1990, was developed by Mark Washburn.
In 1990 Dark Avenger created mutation engine – MtE. And a lot of realizations have been created after that:SMEG, TPE, DAME, LAME and etc.
The difference between oligomorphism and polymorphism is that second approach uses permutation engine to get new forms of decryptors(in theory unlimited numbers), but the previous approach just randomly selects decryptor for a new victim from a finite list of decryptors.
Metamorphic code is a code that automatically recodes itself each time. This approach uses control-flow transposition, substitution of instructions, identifiers renaming and etc. Each new copy may have different structure, code sequence, size, and syntactic properties, but the behavior of the virus does not change. The first known metamorphic virus that was produced for DOS was ACG, on 1998, and the first efforts on 32-bits metamorphic virus targeting the Portable Executable files were W32.Appartition that spread by 2000.
Unlike the three previous camouflage generations, a metamorphic virus has no encrypted part. Therefore, it does not need decryptor, but like a polymorphic virus, it employs a mutation engine, as well, Instead of modifying the decryptor loop only, it mutates all its body.
If you really want to get more information just buy the book. Might be some information is not relevant to the real world but this is fundamentals and history of the evolution of malware technologies from 90th. Also, you can read the presentation from BHUSA(Blackhat USA) conference about it. Do not be surprised that this theme is not new.
Just five components you need to create a malware. Malicious software actively exploits vulnerabilities in systems or services. All systems have their own weaknesses(Do you remember Morris worm?). And attack prevention mechanism such as AntiVirus cannot protect you from an advanced virus that exploits its flaws.
Disclaimer: it is not a guide to writing your own malware. It is not a Wikipedia page or another resource that discovering malware development process. This publication does not provide comprehensive information about the theme. It does not appeal to do things that outlaw in your country.
One thing that I really liked in this book was the review of math models. I presented only short list:
- Cohen’s model
- Adleman’s model
- “French” model
- Z.Zuo and M.Zhuo model
- Vector space model by D. Zegzda (Д. Зегжда)
And author published descriptions of models of epidemic spread of viruses:
- SI – exponential epidemy
- SIS – primitive defense mechanism
- SIR – advanced defense mechanism
Some of them look interesting to implement. So sad that currently, I don’t have enough time for that. Maybe later I’ll try to please you.
I’ve tried to write an article in English. Sorry guys if it is not a pearl of English literature. It’s just short essay.
Maybe with your help my next article will be better. Just give me some feedback.
Thx a lot for reading this (write your comments if you really would help) . Bye.
And again I really recommend the book to read. Especially for non-experts in malware researching.
Sorry, but the book only in Russian.