Wikipedia

Polymorphic code: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Wik (talk | contribs)
21,748 edits
mNo edit summary
unreliable source
 
(188 intermediate revisions by more than 100 users not shown)
Line 1:
{{Short description|Self-modifying program code designed to defeat anti-virus programs or reverse engineering}}
In computer science (or more often, in computer underground terms) '''polymorphic code''' is code that mutates while keeping the original [[algorithm]] intact.
{{distinguish|Polymorphism (computer science)}}
{{refimprove|date=November 2010}}
In computing, '''polymorphic code''' is code that uses a [[polymorphic engine]] to mutate while keeping the original [[algorithm]] intact - that is, the ''code'' changes itself every time it runs, but the ''function'' of the code (its [[semantics]]) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different [[machine code]] in a [[Central processing unit|CPU]]. This technique is sometimes used by [[computer virus]]es, [[shellcode]]s and [[computer worm]]s to hide their presence.<ref name="rugha">{{cite thesis |last=Raghunathan |first=Srinivasan |date=2007 |title=Protecting anti-virus software under viral attacks |type=M.Sc. |publisher=Arizona State University |citeseerx=10.1.1.93.796}}</ref>
 
[[Encryption]] is the most common method to hide code. With encryption, the main body of the code (also called its [[Payload (computing)|payload]]) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'', this function reads the payload and decrypts it before executing it in turn.
Polymorphic code was invented in 1992 by the [[security cracking|cracker]] [[Dark Avenger]] (a [[pseudonym]]) as a mean to avoid pattern recognition from antivirus-software.
 
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.<ref name="wongstamp">{{cite journal |last1=Wong |first1=Wing |last2=Stamp |first2=M. |title=Hunting for Metamorphic Engines |journal=Journal in Computer Virology |volume=2 |issue= 3|pages=211–229 |date=2006 |doi=10.1007/s11416-006-0028-7 |citeseerx=10.1.1.108.3878|s2cid=8116065 }}</ref>
This is sometimes used by [[computer virus]]es, [[shellcode]]s and [[computer worm]]s to hide their presence.
Most [[anti virus-software]] and [[intrusion detection system]]s tries to find malicious code by searching through computer files and data packets sent over a [[computer network]]. If the security software finds any pattern that corresponds to an already known virus or worm, it reacts and erases the program.
It cannot, however, find the program if it constantly mutates so that it never looks the same. This is the very idea of polymorphic code.
 
== Malicious code ==
Most often, a virus/worm that makes any attempt to hide its presence will do that by encrypting itself. However, before being executed at a remote computer, it obviously first needs to decrypt itself. In order to decrypt the virus or worm, some part of the code has to be deliverd unencrypted. Thus, while not being able to detect the actual virus or worm, the anti virus-software/intrusion detection system will still be able to detect the virus decryption engine!
 
Most [[anti virus-virus software]] and [[intrusion detection system]]s tries(IDS) attempt to findlocate malicious code by searching through computer files and data packets sent over a [[computer network]]. If the security software finds any patternpatterns that correspondscorrespond to anknown alreadycomputer known virusviruses or wormworms, it reactstakes andappropriate erasessteps to neutralize the programthreat. Polymorphic algorithms make it difficult for such software to recognize the offending code because it constantly mutates.
However, if the decryption engine is rewritten each time before it is transferred into a new computer (in the case of a worm/shellcode) or computer file (in the case of a virus), it becomes nearly impossible for any security software to detect the presence of the malicious program.
 
Malicious [[programmer]]s have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such [[malware]].
== How it works ==
 
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a [[Sandbox (computer security)|sandbox]]. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. [[Metamorphic code]] techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection.
An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of codes that changed the content in the variable C.
 
The first known polymorphic virus was written by Mark Washburn. The virus, called [[1260 (computer virus)|1260]], was written in 1990.<ref>{{Cite web |title=An Example Decryptor of 1260 |url=https://userpages.umbc.edu/~dgorin1/432/example_decryptor.htm |access-date=2025-03-21 |website=userpages.umbc.edu}}</ref> A better-known polymorphic virus was created in 1992 by the hacker [[Dark Avenger]] as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter [[Virut]].
The original algorithm:
Start:
GOTO Decryption_Code
Encrypted:
...
lots of encrypted code!!!
...
Decryption_Code:
*A = Encrypted
Loop:
B = *A
B = B [[XOR]] CryptoKey
*A = B
A = A + 1
GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
GOTO Encrypted
CryptoKey:
some_random_number
 
== See also ==
The same algorithm, but with lots of unnecessary C-altering codes..
* [[Metamorphic code]]
* [[Self-modifying code]]
Start:
* [[Alphanumeric shellcode]]
GOTO Decryption_Code
* [[Shellcode]]
Encrypted:
* [[Obfuscated code]]
...
* [[Oligomorphic code]]
lots of encrypted code!!!
...
Decryption_Code:
C = C + 1
*A = Encrypted
Loop:
B = *A
C = 3214 * A
B = B [[XOR]] CryptoKey
*A = B
C = 1
C = A + B
A = A + 1
GOTO Loop IF NOT A = (Decryption_Code - Encrypted)
C = C^2
GOTO Encrypted
CryptoKey:
some_random_number
 
== References ==
The code inside "Encrypted" ("lots of encrypted code!!!") could then search the code between Decryption_Code and [[CryptoKey]] and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary codes that alters C, or even exchange the code in the algorithm into new code that does the same thing.
<references/>
{{refbegin}}
*{{cite journal |author-link= |last=Spinellis |first=Diomidis |url=http://www.spinellis.gr/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.html |title=Reliable identification of bounded-length viruses is NP-complete |journal=IEEE Transactions on Information Theory |volume=49 |issue=1 |pages=280–4 |date=January 2003 |doi=10.1109/TIT.2002.806137}}
{{refend}}
 
[[Category:Types of malware]]
See also: [[self-modifying code]], [[alphanumeric code]], [[shellcode]], [[software cracking]], [[security cracking]]
Retrieved from "https://en.wikipedia.org/wiki/Polymorphic_code"