1 self-modification
1.1 encrypted viruses
1.2 polymorphic code
1.3 metamorphic code
self-modification
most modern antivirus programs try find virus-patterns inside ordinary programs scanning them so-called virus signatures. unfortunately, term misleading, in viruses not possess unique signatures in way human beings do. such virus signature merely sequence of bytes antivirus program looks because known part of virus. better term search strings . different antivirus programs employ different search strings, , indeed different search methods, when identifying viruses. if virus scanner finds such pattern in file, perform other checks make sure has found virus, , not merely coincidental sequence in innocent file, before notifies user file infected. user can delete, or (in cases) clean or heal infected file. viruses employ techniques make detection means of signatures difficult not impossible. these viruses modify code on each infection. is, each infected file contains different variant of virus.
encrypted viruses
one method of evading signature detection use simple encryption encipher (encode) body of virus, leaving encryption module , static cryptographic key in cleartext not change 1 infection next. in case, virus consists of small decrypting module , encrypted copy of virus code. if virus encrypted different key each infected file, part of virus remains constant decrypting module, (for example) appended end. in case, virus scanner cannot directly detect virus using signatures, can still detect decrypting module, still makes indirect detection of virus possible. since these symmetric keys, stored on infected host, entirely possible decrypt final virus, not required, since self-modifying code such rarity may reason virus scanners @ least flag file suspicious. old compact way use of arithmetic operation addition or subtraction , use of logical conditions such xoring, each byte in virus constant, exclusive-or operation had repeated decryption. suspicious code modify itself, code encryption/decryption may part of signature in many virus definitions. simpler older approach did not use key, encryption consisted of operations no parameters, incrementing , decrementing, bitwise rotation, arithmetic negation, , logical not. viruses employ means of encryption inside executable in virus encrypted under events, such virus scanner being disabled updates or computer being rebooted. called cryptovirology. @ said times, executable decrypt virus , execute hidden runtimes, infecting computer , disabling antivirus software.
polymorphic code
polymorphic code first technique posed serious threat virus scanners. regular encrypted viruses, polymorphic virus infects files encrypted copy of itself, decoded decryption module. in case of polymorphic viruses, however, decryption module modified on each infection. well-written polymorphic virus therefore has no parts remain identical between infections, making difficult detect directly using signatures . antivirus software can detect decrypting viruses using emulator, or statistical pattern analysis of encrypted virus body. enable polymorphic code, virus has have polymorphic engine (also called mutating engine or mutation engine ) somewhere in encrypted body. see polymorphic code technical detail on how such engines operate.
some viruses employ polymorphic code in way constrains mutation rate of virus significantly. example, virus can programmed mutate on time, or can programmed refrain mutating when infects file on computer contains copies of virus. advantage of using such slow polymorphic code makes more difficult antivirus professionals , investigators obtain representative samples of virus, because bait files infected in 1 run typically contain identical or similar samples of virus. make more detection virus scanner unreliable, , instances of virus may able avoid detection.
metamorphic code
to avoid being detected emulation, viruses rewrite each time infect new executables. viruses utilize technique said in metamorphic code. enable metamorphism, metamorphic engine needed. metamorphic virus large , complex. example, w32/simile consisted of on 14,000 lines of assembly language code, 90% of part of metamorphic engine.
Comments
Post a Comment