1. The Mechanism of Polymorphic
and Metamorphic Virus
Li Xufang
CSIT-TL@NTU Computer Security Lab
2. What is a polymorphic virus?
A polymorphic virus is a computer virus which is capable of mutating
itself when it replicates, making it more difficult to identify with
original antivirus software.
A sophisticated type of virus – polymorphic virus that can wreak
havoc on a computer system while avoiding detection.
“ Chameleon” is the first polymorphic virus in the early ’90s.
Dos polymorphic virus can infect com files, Exe files and the Master
Boot Record with encryption, instruction mutation and stealth
capability.
MTE 0.90 (Mutation Engine),
TPE (Trident Polymorphic Engine), four versions
NED (Nuke Encryption Device),
DAME (Dark Angel's Multiple Encryptor)
In early 1992 the famous ‘Dedicated’ virus appears, based on the
first known polymorphic generator MTE
3. Polymorphism techniques
Entry point obfuscation (EPO)
Garbage code insertion
Nop opcode insertion
Complex dead codes are given, which are useless instructions and semantically
equivalent to no operation
Encryptor and decryptor
Instruction permutation
Instruction placement
Pseudo-random index decryption (PRGA)
The PRGA modifies the state and outputs a byte of the key stream. In each
iteration, the PRGA increments i, adds the value of S pointed to by i to j,
exchanges the values of S[i] and S[j], and then outputs the element of S at the
location S[i] + S[j] (modulo 256). Each element of S is swapped with another
element at least once every 256 iterations.(RC4:http://en.wikipedia.org/wiki/RC4)
Out-of-order decode generation
Register randomization
Polymorphic generator
4. Polymorphic decryptor – Malicious
Cryptography
All ciphering algorithms are not equivalent, like a XOR with a short
key, it is easy to crypt analyze
Another well-tested algorithm is no way to retrieve the key ( like
Random Decryption Algorithm (RDA))
The weak crypto
Deterministic RDA: the computation time is always the same (W32/Crypto)
Non-deterministic RDA: the computation time can not be guessed (W32/IHSix)
The strong crypto
A deciphering function D gathers the information needed to compute the key and
decipher the corresponding code.
Encrypted code EVP1 (key k1) contains all the anti-anti-viral mechanisms.
Encrypted code EVP2 (key k2) is in charge of the infection and
polymorphism/metamorphism mechanisms.
Encrypted code EVP3 (key k3) contains all the optional payloads.
(Frederic Raynal. “Malicious Cryptography, Part two”. Symantec techniques
papers, 15 May 2006)
5. How is a polymorphic created?
Key 1
Polymorphic Engine
Key 2
Constantly create
new random
encryptions of the
same virus body Key n
with different keys.
6. Polymorphic Encryption Techniques
Simple encryption
“XOR”, “ADD” , A becomes B, B becomes C, C becomes D.
Advanced technology
XYZ, X is encrypted by the A, Y is encrypted by the B, Z is encrypted by the C.
Long character key for the encryption, decrypt the code with a long
key in turn
WVYYX, key is ABCD, W with A, V with B, first Y with C, next Y with A, X with B.
the key is hard to guess.
Mutation encrypt: multiple encrypt method, encrypt the code again
with the different key or the same key
Transposition encrypt: it is definitely weak, because random key
should construct the original opcode.
7. Win32/Vundo Polymorphic virus
Entry Point Obfuscation (EPO)
Instruction permutation
Opcode: 24E9 A4 FD FF FF FF81F03779DB
To: E9A4FDFFFF 81F03779DB07
8. Win32/Vundo Polymorphic Virus
Loc_10001E74
EP Nop
jmp short loc_10001E84
Loc_10001E84:
call eax
push ecx push ecx
Jmp short loc_100012EF pop ecx
add esp, 2
Nop
Nop
Loc_100012EF
jmp short loc_10001EA5
Jmp loc_10001098
Loc_10001098 ... …
ror al, cl Nop
and ax, 7F4Dh jmp short loc
sub eax, [esp+8+var_8] ……
and eax, 0 jmp short loc
add eax, offset sub_1000170E
jmp loc_1000166E
... …
Nop
Loc_1000166E
jmp eax
nop
……
jmp short loc_1000167D
... …
Loc:
Loc_1000167D
Xor al, cl
push dword ptr [esp+8]
Mov ax, 1F07h
xchg bx, bx
Shr ax, cl
jmp loc_10001E74
Mov al, [eax]
……
9. Win32/Vundo Polymorphic Virus
Execution flow modification
Entry Point
Jump 1 Junk Jump 2 Junk Jump 3
...
Entropy data Jump n Junk Jump n-1 Junk
10. What is metamorphic virus?
In computer virus terms, metamorphic code is code that can
reprogram itself. Often, it does this by translating its own code into a
temporary representation, editing the temporary representation of itself,
and then writing itself back to normal code again
A metamorphic virus is one that is capable of rewriting its own code with
each infection, or generation of infection, while maintaining the same
functionality
• Simile
• Zmist
11. Metamorphism technology
Entry point obfuscation (EPO)
Code permutation
Conditional jumps or unconditional braches control
Execution flow modification
Insert jump and call instructions
Code integration
Code is inserted into another piece . Relocation and data references are updated
accordingly (Win32/Zmist)
Metamorphism generator
Polymorphic decryptor
Anti- Emulator
Anti-debugger
Payload
Stealth
12. Example of code emulation
From Szor and Ferrie, “Hunting for Metamorphic”
13. Emulation process and virus detection
Randomly generates a new key Decrypt and execute
and corresponding decryptor code
Mutation A
Virus body
Mutation B
Mutation C
To detect an unknown mutation of a known virus ,
emulate CPU execution of until the current sequence of
instruction opcodes matches the known sequence for virus body
slide 13
14. W32/Zmist virus
It is written by Zombie, a Russian legal polymorphic and
metamorphic virus writer
Entry point obscuring virus
Randomly use an additional polymorphic decryptor
Code integration technology
Mistfall engine – it is capable of decompiling portable executable
files to its small elements
Regenerate code and data references, including the relocation
information and rebuild the executable
Insert jump instructions after every single instructions of the code
section
Perfect anti-heuristics virus
Not see a single crash during the test replications
15. Simplified Zmist Infection Process
Randomly insert
indirect call OR jump
to descryptor's entry
point OR rely on
instruction flow to
reach it
Pick a portable
executable Descryptor
binary <448kb must
in size restore host’s
registers to
preserve host’s
functionality
Disassemble, insert space for new Insert mutated virus body Encrypt virus body by Insert random garbage
code blocks, generate new binary Split into jump-linked “islands” XOR (ADD, SUB) with a instructions using
Mutate opcodes (XOR↔SUB, OR↔TEST) randomly generated key, Executable Trash Generator
Swap register moves and PUSH/POP, etc. insert mutated decryptor
slide 15
17. Win32/Fujacks metamorphic virus
File size: 173,580 bytes
A variant of metamorphic virus
Infect the PE, Compress files (.RAR.ZIP et al) and possibly HTML
files with malicious hyperlinks of windows ANI 0-day exploit
Upon execution. It drops itself (TXPlatform.exe) and infected files
(regedit.exe)
Create Desktop_1.ini: Located in infected folder and tag the infected
data-detected as W32/Fujacks.remnants virus
Autorun worm virus
Infected type: Pre-pending
18. Win32/Fujacks Metamorphic Virus Technique
Entry Point
Entry point obfuscation (EPO),
Garbage code insertion
Instruction permutation
Register randomization (EDI,
and ESI)
Garbage insertion (From EP
to
)
Anti-debugger
Anti-Virtual Machine
Internal packed
Decompress algorithm
19. W32/Fujacks: Payload Technique
(MS06-050) Microsoft
Hyperlink Object Function
Vulnerability (KB920670)
A remote code execution
vulnerability exists in the
hyperlink object Library
This virus exploits the
vulnerability by constructing a
malicious hyperlink which
could potentially lead to
remote code execution, drop
or download malware codes
Hyperlink with malicious code
20. Compressed files are Infected by Fujacks virus
It can decompress .RAR, .zip files and infected the internal PE files.
Infect type: pre-pending
Decompr Malicious Codes
essing Infecting
Compressed files PE files
Infected files
21. Win32/Fujacks Running Process
PE1 1. Drop malicious code
PE HEADER 2. Infect PE files on all
Malicious codes folders
3. Pre-pending
infection
4. Decompression
EP + Garbage files
codes 5. Hyperlink exploit
6. Autorun
Pack part Main File
Running process (Unpacked) 7 Anti debugger
8. Anti virtual machine
Infected files
Decryptor PE2
23. The novel analysis and detection methods for
complex computer virus
Control flow methods
Behavior monitor
Monitoring files (dropper, download, rewrite, insert)
Monitoring registry
Monitoring network
Memory monitor
Hooking monitor
API call monitor
Process monitor
Heuristic detection
Semantic analysis and detection
API call
Opcode malware detection and analysis
Entropy calculator
24. Reference:
• Robert Lyda and Jim Hamrock. “Using Entropy Analysis to Find Encrypted and Packed Malware”.
IEEE Security & Privacy, pp. 40-45, 2007
• Information Technology Security Report Lead Agency Publication R2-002, “Future Trends in
Malicious Code – 2006 Report”.
• McAfee. McAfee virtual criminology report, “Virtually Here: The Age of Cyber Warfare” McAfee,
Inc, 2009
• Understanding and Managing Polymorphic Viruses. The Symantec Enterprise Papers (1996)
• Evgenios Konstantinou, Stephen Wolthusen, “Metamorphic Virus: Analysis and Detection”.
Technical Report, RHUL-MA-2008-02
• Szor, P and Ferrie, P. “Hunting for Metamorphic”. Virus Bulletin Conference (2003).
• Adrian E. Stepan. “Defeating Polymorphism beyond Emulation”. Virus Bulletin Conference
October 2005
• Igor Santos, Felix Brezo, Javier Nieves, et al. “Idea: Opcode-Sequence-Based Malware
Detection”. Computer Science, Engineering Secure Software and System, pp. (5969) 35-43,
2010.
• Ulrich Bayer, Engin Kirda and Christopher Kruegel, “Improving the Efficiency of Dynamic Malware
Analysis”, 25th Symposium on Applied Computing (SAC), Track on Information Security Research
and Applications, 2010
• Alsagoff, S.N. Malware self protection mechanism issues in conducting malware behavior analysis
in a virtual environment as compared to a real environment. 2010 International Symposium in
Information Technology (ITSim), pp.1326-1331, 2010
25. Reference:
• Asaf Shabtai, Robert Moskovitch, et al. Detection of malicious code by applying machine learning
classifiers on static features: A state-of-the-art survey. Information Security Technical Report 14
(2009) 16-29
• Cesare, S and Yang Xiang. “A Fast Flowgraph Based Classification System for Packed and
Polymorphic Malware on the Endhost”. Advanced Information Networking and Applications
(AINA), 2010 24th IEEE International Conference on Digital Object Identifier. pp. 721-728, 2010
• Vx heavens. http://vx.netlux.org
• Yong Tang, Bin Xiao, Xicheng Lu. Using a bioinformatics approach to generate accurate exploit-
based signatures for polymorphic worms. Journal of Computer & Security 28 (2009). pp. 827-842
• Aditya Govindaraju. Exhaustive Statistical Analysis for Detection of Metamorphic Malware. Master
project, Department of Computer Science, San Jose State University, spring 2010
• David M. Chess and Steve R. White. An Undetectable Computer Virus. IBM Thomas J. Watson
Research Center, Hawthorne, New York, USA
• Song Y, Locasto ME, Stavrou A, Keromytis AD, Stolfo SJ. On the infeasibility of modeling
polymorphic shellcode. In: ACM conference on computer and communications security (CCS);
2007
• Danilo Bruschi, Lorenzo Martignoni, Mattia Monga. Detecting self-mutating malware using control-
flow graph matching. Lecture Notes in Computer Science, 2006, Vol 4046, Detection of Intrusions
and Malware & Vulnerability Assessment, PP. 129-143
26. Reference:
• Arlington, Virginia. Malware Detection and Classification From Byte-Patterns to Control Flow
Structures to Entropic Defenses. Cyber Genome Project DARPA workshop, University of New
Orleans, Department of Computer Science. December 2009
• Lorenzo Cavallaro, Prateek Saxena and R.Sekar. On the limits of information flow techniques for
malware analysis and containment. Lecture Notes in Computer Science, 2008, Vol 5137,
Detection of Intrusion and Malware, and Vulnerability Assessment, pp. 143-163
• Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane, Arun Lakhotia. “Constructing
malware normalizes using term rewriting. Journal of Computer Virology, pp. (4) 307-322, 2008
• Frederic perriot, Peter Szor, Peter Ferrie. Striking similarities: Win32/simile and metamorphic virus
code. Technical report, Symantec, 2003
• Peter Szor. Zmist opportunities. Virus Bulletin Conference, March 2001, pp. 6-7
• Felix Leder, Bastian Steinbock, Peter Martini. Classification and detection of metamorphic
malware using value set analysis.
• Kevin A. Roundy, Barton P. Miller. Hybrid analysis and control of malware. Lecture Notes in
Computer Science, 2010, Vol 6370, Recent Advances in Intrusion Detection, pp. 317-338
27. Reference:
• Sharif, M., Lanzi, A., Giffin, J., Lee, W. Impeding malware analysis using conditional code
obfuscation. In Network and Distributed System Security Symposium. San Diego, CA (2008)
• Spinellis, D. Reliable identification of bounded–length viruses is NP-complete. Information Theory,
IEEE Transactions, Vol 49. pp. 280-284, January 2003
• Polymorphic Code: http://en.wikipedia.org/wiki/Polymorphic_code
• Khalid Alzarouni, David Clark, Laurence Tratt. Semantic Malware Detection. Technical Report TR-
10-03, 16 February 2010.
• Mohamed R. Chouchane, Andrew Walenstein, Arun Lakhotia. Statistical Signature for Fast
Filtering of Instruction-substituting Metamorphic Malware. In Proc. Worm 07, November 2007,
Alexandria, Virgina, USA, ACM Press
• Peter Ferrie, Frederic perriot. Detecting Complex Viruses. Symantec Community : Security
Articles.
• McAfee Threat Intelligence: http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx
• Virus Bulletin: Glossary - Metamorphic virus:
http://www.virusbtn.com/resources/glossary/metamorphic_virus.xml