Wikipedia

Polymorphic code: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Avigreen18 (talk | contribs)
386 edits
Example: Added links
Tags: Mobile edit Mobile app edit
Tjgerot (talk | contribs)
58 edits
m The original author used the word code in describing an analogy, however the analogy is more directly related to mathematics than programming. Replacing the clause paints a clearer picture regarding polymorphism. Removed bad comma.
Line 1:
{{distinguish|Polymorphism (computer science)}}
{{refimprove|date=November 2010}}
In computer terminology, '''polymorphic code''' is code that uses a [[polymorphic engine]] to mutate while keeping the original [[algorithm]] intact. That is, the code changes itself each time it runs, but the function of the code (its [[semantics]]) will not change at all. For example, 1+3 and 6-2 both achieve the same result while using different codevalues and operations. This technique is sometimes used by [[computer virus]]es, [[shellcode]]s and [[computer worm]]s to hide their presence.<ref name="rugha">Raghunathan, Srinivasan (2007). ''Protecting anti-virus software under viral attacks''. M.Sc. Thesis, Arizona State University.[http://www.public.asu.edu/~rsriniv8/Documents/Raghunathan_MS_thesis.pdf]</ref>
 
[[Encryption]] is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'' this function reads the payload and decrypts it before executing it in turn.
Line 13:
Malicious [[programmer]]s have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such [[malware]].
 
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilising other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a [[Sandbox (computer security)|sandbox]]. Polymorphism does not protect the virus against such emulation, if the decrypted payload remains the same regardless of variation in the decryption algorithm. [[Metamorphic code]] techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remain constant from infection to infection.
 
The first known polymorphic virus was written by [[Mark Washburn]]. The virus, called [[1260 (computer virus)|1260]], was written in 1990. A better-known polymorphic virus was created in 1992 by the hacker [[Dark Avenger]] (a [[pseudonym]]) as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter [[Virut]].
Retrieved from "https://en.wikipedia.org/wiki/Polymorphic_code"