Content deleted Content added
m disambiguation link repair (You can help!) |
unreliable source |
||
(174 intermediate revisions by more than 100 users not shown) | |||
Line 1:
{{Short description|Self-modifying program code designed to defeat anti-virus programs or reverse engineering}}
{{distinguish|Polymorphism (computer science)}}
{{refimprove|date=November 2010}}
In computing, '''polymorphic code''' is code that uses a [[polymorphic engine]] to mutate while keeping the original [[algorithm]] intact - that is, the ''code'' changes itself every time it runs, but the ''function'' of the code (its [[semantics]]) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different [[machine code]] in a [[Central processing unit|CPU]]. This technique is sometimes used by [[computer virus]]es, [[shellcode]]s and [[computer worm]]s to hide their presence.<ref name="rugha">{{cite thesis |last=Raghunathan |first=Srinivasan |date=2007 |title=Protecting anti-virus software under viral attacks |type=M.Sc. |publisher=Arizona State University |citeseerx=10.1.1.93.796}}</ref>
[[Encryption]] is the most common method to hide code. With encryption, the main body of the code (also called its [[Payload (computing)|payload]]) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'', this function reads the payload and decrypts it before executing it in turn.
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.<ref name="wongstamp">{{cite journal |last1=Wong |first1=Wing |last2=Stamp |first2=M. |title=Hunting for Metamorphic Engines |journal=Journal in Computer Virology |volume=2 |issue= 3|pages=211–229 |date=2006 |doi=10.1007/s11416-006-0028-7 |citeseerx=10.1.1.108.3878|s2cid=8116065 }}</ref>
Most [[anti-virus software]] and [[intrusion detection system]]s attempt to locate malicious code by searching through computer files and data packets sent over a [[computer network]]. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. [[Polymorphic]] algorithms make it difficult for such software to locate the offending code as it constantly mutates.▼
== Malicious code ==
▲Most [[anti-virus software]] and [[intrusion detection system]]s (IDS) attempt to locate malicious code by searching through computer files and data packets sent over a [[computer network]]. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat.
Malicious [[programmer]]s have sought to protect their polymorphic code from this strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Sophisticated pattern analysis is used by anti-virus software to find underlying patterns within the different mutations of the decryption engine in hopes of reliably detecting such [[malware]].▼
▲Malicious [[programmer]]s have sought to protect their
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a [[Sandbox (computer security)|sandbox]]. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. [[Metamorphic code]] techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection.
The first known polymorphic virus was written by Mark Washburn. The virus, called [[1260 (computer virus)|1260]], was written in 1990.<ref>{{Cite web |title=An Example Decryptor of 1260 |url=https://userpages.umbc.edu/~dgorin1/432/example_decryptor.htm |access-date=2025-03-21 |website=userpages.umbc.edu}}</ref> A better-known polymorphic virus was created in 1992 by the hacker [[Dark Avenger]] as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter [[Virut]].
== See also ==
* [[Metamorphic code]]
* [[Self-modifying code]]
* [[
* [[
* [[
* [[
== References ==
<references/>
* Diomidis Spinellis. [http://www.spinellis.gr/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.html Reliable identification of bounded-length viruses is NP-complete]. ''IEEE Transactions on Information Theory'', 49(1):280–284, January 2003. [http://dx.doi.org/10.1109/TIT.2002.806137 doi:10.1109/TIT.2002.806137]▼
{{refbegin}}
▲*{{cite
{{refend}}
[[Category:Types of malware]]
|