Polymorphic and metamorphic: the variants of computer viruses.

In recent days we have been hearing about variants of Covid-19 and like all viruses, even computer viruses find a way to hide from view to be able to spread better. It is no coincidence that many aspects of computer science seem to be a kind of "copy" of what reality is like. On the other hand, nature offers us mechanisms of disarming simplicity that can easily be replicated in the binary world of computers.

We have already talked in a previous article about how antivirus can find, among the files we have in our systems, the malicious ones. In this case, we place ourselves on the other side of the fence by looking at which techniques are commonly used to elide the protection of anti-malware programs. Like any good virus, the main strategy for living is the surprise effect. As long as it manages to replicate without being seen it will be able to do damage, when it is known it can easily be identified and eliminated.

In fact, we talked about the ability to find viruses on the basis of a signature that characterize them: what better technique than transforming your code to hide? Creating a variant of yourself makes it difficult to find equal parts in the copy and therefore decreases the likelihood of a correct match. The most common techniques such as polymorphic and metamorphic viruses implement precisely the mechanisms necessary to change the code to make it unidentifiable.

The mechanism exploited by polymorphic viruses to replicate by changing. Variants like this use an engine to decrypt the malicious code of the virus and re-encrypt it with another key, effectively changing the shape. Source: Research Gate

Polymorphic viruses

The idea behind this technique is encryption. Encryption is an algorithm that is capable of making plaintext obscure. The ciphers have been known in the world since ancient times (Caesar cipher) and have evolved with the passage of time. Those familiar with security will know names like AES, RSA, etc. which are the most modern encryption algorithms but which also require a certain amount of computational capacity. In reality, there are much simpler techniques that rely on arithmetic or Boolean operations. Among these operators the favorite of cryptographers is the XOR also called exclusive OR.

Let's take an example to better understand what we are talking about. Each character in computer science is associated with a value of a given encoding. For example, the letter A in the ASCII encoding corresponds to the hexadecimal value 41. By choosing an "encryption key" (in this case only a number) such as hexadecimal 68 we are able to change our initial letter. In fact, 0x41 XOR 0x68 makes 0x29 which corresponds to the round bracket character “)”. By spreading this simple concept to an extended piece of code, it is easy to understand how it is possible to hide true malicious code from prying eyes. At the right moment it will be sufficient to decode the code with the same key to obtain the initial value (0x29 XOR 0x68 makes 0x41 again).

Polymorphic viruses use this mechanism to hide malicious code and change it with each new infection. Thanks to a polymorphic engine, they are able to decrypt malicious code at the most appropriate time, execute it and then change key to encrypt it again. The code, in fact, remains the same however it changes in appearance (its encryption is changed), remaining invisible to an antivirus that always looks for the same "signature".

Unexpected mutations

The polymorphic variants of computer viruses are quite basic but some of them can completely transform: metamorphic viruses (from the Greek metamórphōsis 'transformation'). Symantec's White Paper looks at some typical approaches and explains how to hunt for these unpredictable viruses. In fact, unlike the previous ones, metamorphic malware uses an engine to modify all the parts that compose them, including the transformation engine itself. A basic technique is for example the reordering of the code that can be done with JUMP instructions: it is possible to keep the syntax of the code intact but change how it is written by moving lines and adding jumps to follow the initial flow.

Metamorphic viruses have the ability to completely modify themselves through techniques such as code reordering.

Typically these programs, during their execution, create a temporary image of their binary translation, modify it by applying reordering, for example, and then translate back into machine code. In other words, starting from an initial program I am able to create a copy that is completely different in shape (no part is the same as the previous one) but exactly mirrored in terms of operation.

The pitfalls of viruses and how to protect ourselves

With these premises it is now clear how difficult it is to be able to identify and keep track of these particular variants of computer viruses. Digital Guardian warns us about the possible pitfalls that are on the web and how effective these viruses are still despite we have also become very expert in the production of antivirus. In fact, traditional approaches based only on signatures are ineffective. But of course we always have a weapon in our possession and in this case we are talking about sandbox.

The sandbox is our ally who studies the behaviors of executables to see if there is something wrong. In particular, it is thanks to the fact that the virus is free that we can find it. As we have mentioned, in both cases there is always a temporary and intermediate phase where, in the first case we find the code in clear text, while in the second there is a temporary image of the virus. These two moments are fundamental and being able to monitor them we can intervene where we find behaviors similar to those described.

In conclusion, therefore, we maintain the utmost caution as every time when we browse the web. Otherwise we could run into viruses that… like to change!

The article Polymorphic and metamorphic: the variants of computer viruses. comes from Tech CuE | Close-up Engineering .