Wikipedia

Polymorphic code: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
fix template name
fixed grammar
Tag: COI template removed
Line 5:
[[Encryption]] is the most common method to hide code. With encryption, the main body of the code (also called its payload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code is ''executed'' this function reads the payload and decrypts it before executing it in turn.
 
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair areis mutated with each copy of the code. This allows different versions of some code which all function the same.<ref name="wongstamp">Wong, Wing; Stamp, M. (2006). ''Hunting for Metamorphic Engines''. Journal in Computer Virology. Department of Computer Science, San Jose State University. [http://www.truststc.org/pubs/237/hunting.pdf]</ref>
 
== Malicious code ==
Line 13:
Malicious [[programmer]]s have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such [[malware]].
 
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilisingutilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a [[Sandbox (computer security)|sandbox]]. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. [[Metamorphic code]] techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remainremains constant from infection to infection.
 
The first known polymorphic virus was written by Mark Washburn. The virus, called [[1260 (computer virus)|1260]], was written in 1990. A better-known polymorphic virus was created in 1992 by the hacker [[Dark Avenger]] (a [[pseudonym]]) as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter [[Virut]].
Line 40:
some_random_number
 
The encrypted code is the payload. To make different versions of the code, in each copy the garbage lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can search the code between Decryption_Code and CryptoKey and each algorithm for new code that does the same thing. Usually, the coder uses a zero key (for example; A [[xor]] 0 = A) for the first generation of the virus, making it easier for the coder because with this key the code is not encrypted. The coder then implements an incremental key algorithm or a random one.
 
== Polymorphic encryption ==
{{Advert section|date=July 2020}}
 
Polymorphic code can be also used to generate encryption algorithm. This code was generated by the online service StringEncrypt.<ref name="stringencrypt">[https://www.stringencrypt.com Wójcik, Bartosz (2015). ''String & File Encryption'']</ref> It takes the string or a file content and encrypts it with random encryption commands and generates polymorphic decryption code in one of the many supported programming languages:
Retrieved from "https://en.wikipedia.org/wiki/Polymorphic_code"