Polymorphic Malware
   HOME

TheInfoList



Click Here for Items Related To - Polymorphic Malware
OR:
Polymorphic Malware on:   [Wikipedia]   [Google]   [Amazon]

In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original
algorithm In mathematics and computer science, an algorithm () is a finite sequence of Rigour#Mathematics, mathematically rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algo ...
intact - that is, the ''code'' changes itself every time it runs, but the ''function'' of the code (its
semantics Semantics is the study of linguistic Meaning (philosophy), meaning. It examines what meaning is, how words get their meaning, and how the meaning of a complex expression depends on its parts. Part of this process involves the distinction betwee ...
) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different
machine code In computer programming, machine code is computer code consisting of machine language instructions, which are used to control a computer's central processing unit (CPU). For conventional binary computers, machine code is the binaryOn nonb ...
in a
CPU A central processing unit (CPU), also called a central processor, main processor, or just processor, is the primary processor in a given computer. Its electronic circuitry executes instructions of a computer program, such as arithmetic, log ...
. This technique is sometimes used by
computer virus A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and Code injection, inserting its own Computer language, code into those programs. If this replication succeeds, the affected areas ...
es,
shellcode In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised ma ...
s and
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will ...
s to hide their presence.
Encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'', this function reads the payload and decrypts it before executing it in turn. Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.


Malicious code

Most
anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...
and
intrusion detection system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...
s (IDS) attempt to locate malicious code by searching through computer files and data packets sent over a
computer network A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...
. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to recognize the offending code because it constantly mutates. Malicious
programmer A programmer, computer programmer or coder is an author of computer source code someone with skill in computer programming. The professional titles Software development, ''software developer'' and Software engineering, ''software engineer' ...
s have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
. Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a
sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * Sandbox (Gu ...
. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. Metamorphic code techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection. The first known polymorphic virus was written by Mark Washburn. The virus, called
1260 Year 1260 ( MCCLX) was a leap year starting on Thursday of the Julian calendar. Events By place Africa * October 24 – Saif ad-Din Qutuz, Mamluk sultan of Egypt, is assassinated by Baibars, who seizes power for himself. * The civil se ...
, was written in 1990. A better-known polymorphic virus was created in 1992 by the hacker Dark Avenger as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter Virut.


See also

* Metamorphic code *
Self-modifying code In computer science, self-modifying code (SMC or SMoC) is source code, code that alters its own instruction (computer science), instructions while it is execution (computing), executing – usually to reduce the instruction path length and imp ...
*
Alphanumeric shellcode In hacker (computer security), hacking, a shellcode is a small piece of code used as the Payload (computing), payload in the exploit (computer security), exploitation of a software Vulnerability (computing), vulnerability. It is called "shellco ...
*
Shellcode In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised ma ...
*
Obfuscated code In software development, obfuscation is the practice of creating source or machine code that is intentionally difficult for humans or computers to understand. Similar to obfuscation in natural language, code obfuscation may involve using unnece ...
*
Oligomorphic code Oligomorphic code, also known as semi-polymorphic code, is a method used by a computer virus to obfuscated code, obfuscate its decryptor by generating different versions of it, in order to evade detection by antivirus software. It is similar to, bu ...


References

* {{refend Types of malware