Adrian Marinescu
Virus Bulletin, Jul 1999, pp.8-9
ISSN 0956-9979
July 1999
The MtE mutation engine was something quite new in virus programming, and led to important changes. Since then, polymorphism has been one of the ways virus writers have chosen to protect their creations from scanning engines. The development of code emulators and good cryptoanalytic algorithms resulted in anti-virus products needing slight changes and/or updates in order to detect most of the new polymorphic viruses. Furthermore, there were a few cases of polymorphic viruses that could not be detected at all for a long time; Zhengxi (see VB, April 1996, p.8) and Uruguay (December 1992, p.12) are good examples.
All polymorphic engines were based on the same idea: maintain the virus body in an encrypted form, using a variable key/algorithm, and generate a polymorphic code that decrypts the rest of the body and executes it. Some of the first viruses not based on this idea were the members of the Ply family. Ply is not encrypted, but there are no parts constant enough to extract a reliable signature.
Using a slightly modified idea, the TMC family managed to become in the wild. TMC had many small constant parts, linked with jumps. That made algorithmic detection easy to write for this virus, but the door was now open. These kinds of virus were the first ones that could not be exactly identified, raising big problems regarding their disinfection.
Then the ZCME family used the same idea, mixing the code in a 16 KB buffer. The only weakness was that algorithmic routines still worked, because there were a lot of constant small pieces that could be used for detection. Last year, a new kind of virus came up. Called Lexotran, it was able to generate different looking forms, with the same result. The idea was to keep the mixing engine in encrypted form - the mixing engine itself processed the virus body during infection before creating new and highly variable shapes of itself. The drawback was that the mixing engine was linearly encrypted with 8-bit keys. That could be used to write a detection algorithm to search for the encrypted part in the virus body.
The author of the ACG family understood this disadvantage and developed a new idea - what if the encrypted body is not stored in one piece, but in more scrambled pieces spread through the entire virus image? The ACG family is not a dangerous one, but the polymorphic engine is well written and very stable. The main problem with it is that its engine could easily be used in other viruses, far more dangerous ones. Also, the idea can be successfully applied to Windows viruses, potentially making this kind of virus a big problem in the future.