VX Heavens

Nowadays viruses use polymorphic techniques to mutate their code on each replication, thus evading detection by antiviruses. However detection by emulation can defeat simple polymorphism: thus metamorphic techniques are used which thoroughly change the viral code, even after decryption. We briefly detail this evolution of virus protection techniques against detection and then study the METAPHOR virus, today’s most advanced metamorphic virus.

As virus writers developed numerous polymorphic engines, virus scanners became stronger in their defense against them. A virus scanner which used a code emulator to detect viruses looked like it was on steroids compared to those without an emulator-based scanning engine.Nowadays, most polymorphic viruses are considered boring. Even though they can be extremely hard to detect, most of today's products are able to deal with them relatively easily. These are the scanners that survived the DOS polymorphic days. For some of the scanners DOS polymorphic viruses meant the `end of days'. Other scanners died with the macro virus problem. For most products the next challenge to take is 32-bit metamorphosis.Metamorphic viruses are nothing new. We have seen them in DOS days, though some of them, like ACG, already used 32-bit instructions. The next step is 32-bit metamorphosis under Windows environments. Virus writers already took the first step in that direction.In this paper the authors will examine metamorphic engines to provide a better general understanding of the problem that we are facing. The authors also provide detection examples of some of the metamorphic viruses.

When the virus writer known as z0mbie released Win95.Zmist.A in early 2001, much of the attention paid to this virus by the AV community was directed at its remarkable ability to intersperse its own code with that of its infection target. However, this virus also embodied the continuation of z0mbie's work on viral evolution towards metamorphism - a form of camouflage being developed by virus writers that is so potent and radically different from common encryption that AV scanners will soon need powerful new tools to confront this threat. This article will discuss one possible method that AV scanners could use to deal with metamorphism.

A metamorphic virus applies semantics preserving transformations on itself to create a different variant before propagation. Metamorphic computer viruses thwart current anti-virus technologies that use signatures - a fixed sequence of bytes from a sample of a virus - since two variants of a metamorphic virus may not share the same signature. A method to impose an order on the statements and components of expressions of a program is presented. The method, called a "zeroing transformation," reduces the number of possible variants of a program created by reordering statement, reshaping expression, and renaming variable. On a collection of C program used for evaluation, the zeroing transformation reduced the space of program variants due to statement reordering from 10^183 to 10^20. Further reduction can be expected by undoing other transformations. Anti-virus technologies may be improved by extracting signatures from zero form of a virus, and not the original version.

This time the object of my study is metamorphism. I think this is the next step after polymorphism, a step that will reach coding up at a new level: the highest peak of self mutating, the biggest step toward perfect stealth, the best highway to the assembly heaven... If there exists something like that... Personally I think there's only a programmer's hell, because I'm sure that Windows is not allowed in Heaven...

A form of metamorphism discussed in theory.

Here you'll find a few small ideas and thoughts about making detection of computerviruses harder. Thanks alot to herm1t and hh86 for discussion and asking the right questions.

Metamorphism is the art of extreme mutation. This means, we mutate everything in the code, not only a possible decryptor. Metamorphism was the natural evolution from polymorphism, which appeared to evade virus scanners. With metamorphism, the difficulty to detect a virus grows exponentially.Then, why aren't there more metamorphic viruses? Simple: they are extremely difficult to make, as I show in this article (not only for tech used, but for the many fux0ring problems we can when we code something like that). Anyway, we'll try to see here that maybe the important thing is to have the correct ideas (something that coders like Vecna, Z0MBiE and others had - hello! :).

A design space is presented for metamorphic malware. Metamorphic malware is the class of malicious self-replicating programs that are able to transform their own code when replicating. The raison d'etre for metamorphism is to evade recognition by malware scanners; the transformations are meant to defeat analysis and decrease the number of constant patterns that may be used for recognition. Unlike prior treatments, the design space is organized according to the malware author's goals, options, and implications of design choice. The advantage of this design space structure is that it highlights forces acting on the malware author, which should help predict future developments in metamorphic engines and thus enable a proactive defence response from the community. In addition, the analysis provides effective nomenclature for classifying and comparing malware and scanners.

Reversing of executable files is the only base to write undetectable viruses.This is based on the following axiom: complexity C1 of detecting virus itself, when virus location is given, and complexity C2 of finding possible virus locations within infected objects, are different; and total complexity of detecting virus precence is a product of them, i.e. C1 * C2. Both complexities are interrelated; and both are limited by the object to be infected. This means that there exists some maximal complexity, which, when reached, will divide object and virus into different parts. As such, our task is to build optimal infection methods: when product of these complexities will be maximal, but not critically high, and thus only iteration-based detection methods will be effective.For example. Writing poly decryptor is good, but inserting it always into constant place, such as end of last section, is bad. Writing very big poly decryptor is bad in any case. Putting plain virus, into any place of the program, even into random place, is bad. So, the questions are: how much should be the virus polymorphic; in how many ways may it be inserted into file; and, because these two things are interrelated, where is the optimal combination.To find answers to these questions, virus must know everything about itself and about file to be infected. First part can be easily achieved; this was shown us in lots of metamorphic viruses. Second part is much harder, and this is also the subject of this article: how can virus to find out more information about the file it want to infect.

Our efforts are directed to develop such method of executable program modification, that finding changes will require maximal amount of time. Modification means addition of the viral code to some specified program, given in the PE format. It is obvious, that main viral body should be encrypted, and metamorphic (generated) virus decryptor should be integrated with program's code.

Not long ago appeared an idea about virus, consisting of only NOPs. Let we have such typical program, that its code (in different places, but consecutively) contains the same instructions, blocks of instructions or their functional variants, those can be used in some virus. Then, it will be enough to fill all other part of that program's code with NOPs, so all remaining instructions will become the virus itself. Thus, from viewpoint of performed midifications, virus will consist of only NOPs. This can be not only the simple program, but program with all its DLLs; moreover, we can insert not only NOPs, but lots of other garbage. In other words, standard infection by means of adding new instructions here changed into inverse operation, that removes unnecessary instructions. Of course, there will be troubls with constants; but if you're interested in, you will invent something.