This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Viruses and malwares are serious threats to the systems security. There are many viruses available now a day that is has become difficult to provide a precise definition. Polymorphic and Metamorphic viruses are two commonly known kinds of viruses. A polymorphic virus has the ability to change its signature every time by slightly modifying itself when it replicates thus avoiding detection.
Research on this topic reveals that the first polymorphic virus was developed in the year 1990 and later on many generator kits were developed that simplified the work of the computer virus writer's. These kits helped people with no knowledge to develop their brand new viruses. There are also many packers and wrappers available that can be used on the top of the viruses.
In this project, we analyze different polymorphic viruses and try to develop a clever application that will encrypt, mutate and protect any polymorphic virus thus making it strong.
Table of Contents
List of Figures
List of Tables
The attack of viruses has started since early 70's. From then there are lot of virus writers who try to create new types of viruses. Virus-like programs first appeared on microcomputers in the 1980s. Modern technology has changed the way we learn, work, play, and live but it does not offer luxury of high availability and accessibility without endangering the security and privacy of information. No matter how secure data is stored and accessed, information still get stolen. Every day and every second, somebody in the world has his/her identity and money seized. Even worse, information that is worth lots of time, energy, and resources, are completely wiped out by malicious programs causing huge loss. Virus code started to become more and more complex from the beginning. To challenge virus-scanning products, virus writers constantly develop new obfuscation techniques to make viruses more difficult to detect. To escape generic scanning, a virus can modify its code and alter its appearance at each infection. The techniques that have been employed to achieve this end range from encryption and Polymorphism, to modern metamorphic techniques.
There are different kinds of viruses namely polymorphic viruses, metamorphic viruses, worms, Trojan horses and malwares. Virus writers developed numerous polymorphic engines and, as a result, virus scanners became stronger in order to handle them. Out of all these, metamorphic viruses are believed to be the most dangerous ones. Metamorphic viruses are very disastrous as they are very difficult to identify. There are many virus writers who now a day's prefer to write metamorphic viruses. This is because, even after spending months in writing a polymorphic virus, there are chances for a polymorphic virus to be detected. Nevertheless, this is not the case in metamorphic virus.
Virus construction kits are readily available on the Internet. These kits allow people with limited technical knowledge to develop potentially devastating malware. Virus construction kit developer's often use metamorphism as a way to avoid signature-based detection.
In my writing project I wish to develop a metamorphic virus that carries its generator along with it. If a virus carries its own generator then it will get more difficult to detect it. If this is implemented successfully then, every copy of the virus produced will also have a generator. In this writing project, I will explain the different types of viruses that are available and the kits that are used to generate metamorphic viruses.
History of viruses
Viruses have been in implementation since long time. Viruses are malicious programs that have threatened the world of computers for about thirty years; and will be more challenging than ever before. Virus writers work hard to create viruses that are disastrous and undetectable. At the same time, antivirus developers strike hard to find solutions to detect viruses. Group of college students created the first virus. Those viruses were harmless. Generally, a computer virus will try to modify the host program to replicate itself. The host is modified to contain a copy of the malicious code. When the infected host id executed, it in turn starts infecting other objects in the system. Generally, computer virus is said to have the following modules:
if trigger () is true then
Figure 1: simple virus pseudo code (Desai, 2008)
Figure 1 shows a sample pseudo code of a simple virus. In this, infect () will decide the way virus will spread. The trigger () will decide on how to deliver the payload and payload () will define the damage performed by the virus. Previously to create a virus, a writer should extensively know assembly language. Now it is not necessary as even a novice person can create strains of previously available viruses with the help of mutation engines and virus creation kits. Each virus has their unique characteristics that are make them distinct from others.
Types of viruses
There are different types of computer viruses, few are standalone and few use internet to mitigate. Few of the types are listed below:
2.2.1 Boot Sector Viruses
One of the oldest and popular viruses from the late 1980s is boot sector virus. It replaces Master Boot Record (MBR) or boot sector in the hard drive with its own code. The boot sector is a drive sector where the Operating System (OS) boot loader lives. The Basic Input/output System (BIOS) transfers control to the boot sector at the end of Power-On Self-Test (POST) to hand off control to the OS while booting. Infecting the boot sector enables the boot virus to gain the ability to take over the control whenever the system boots, stay hidden in memory during runtime, and perform its malicious activities.
2.2.2 Encrypted viruses
The simplest way to change the virus look is by doing encryption. An encrypted virus is said to have two parts. One is the decryptor module and other is the encrypted body. The decryptor executes when an infected program runs, and decrypts the virus body. The encryption key changes each time the virus mutates. This makes it difficult to detect.
One of the first viruses that used encryption was the DOS virus Cascade. Its algorithm was a little more sophisticated that the simple substitution algorithm. It consists of XOR-ing each byte twice with variable values, one of which depends on the length of the program. The following is the decryptor of the Cascade virus:
ea si, Start ; position to decrypt (dynamically set)
mov sp, 0682 ; length of encrypted body (1666 bytes)
xor [si],si ; decryption key/counter 1
xor [si],sp ; decryption key/counter 2
inc si ; increment one counter
dec sp ; decrement the other
jnz Decrypt ; loop until all bytes are decrypted
Start: ; Encrypted/Decrypted Virus Body
Although such encryption is considered cryptographically weak, early antivirus programs could detect them only by detecting the decryptor using search strings. However, know a day's virus writers do not prefer to write such viruses as the virus scanners available now are capable enough to detect the encrypted viruses since the decryptor code is detectable.
2.2.3 Polymorphic viruses
The next types of viruses are the polymorphic viruses. This solves the previous problem as polymorphic viruses contain mutated decryptor. In this case, each copy of a polymorphic virus will contain a different copy of decryptor. This makes the polymorphic viruses difficult to detect by the virus scanners. Some polymorphic viruses carry a constant encrypted virus body and hence even polymorphic viruses are detectable. In polymorphic virus 90% of the code is the malicious code and the rest 10% is the encryption, decryption key or the polymorphic engine. The following is the execution cycle of polymorphic virus:
Generate new key to morph the variant
Decrypt malicious code
Extract key information
Figure 2: Polymorphic Virus Execution Cycle
To detect polymorphic viruses, anti-virus software incorporates a code emulator, which emulates the decryption process and dynamically decrypts the encrypted virus body. Because all instances of a polymorphic virus carry a constant but encrypted virus body, detection is still possible based on a putative decrypted virus body.
2.2.4 Metamorphic viruses
Metamorphic viruses are the most dangerous ones as they are not detectable and a user will not even know the presence of the virus in his system. The virus is successful in achieving it as it changes its structure each time it mutates and hence each copy of a metamorphic virus is different from the parent virus. To achieve the metamorphism, these viruses' uses few properties like code obfuscation techniques, junk code insertions, register renaming, permutation and unconditional jumps.
Evol is one of the more disastrous metamorphic viruses available until date. The morphing engine used in Evol virus uses garbage code insertion and simple code obfuscation techniques. A code snippet of the virus is as follows:
Figure 3: First variant of Evol
Figure 4: Second variant of Evol
As told earlier, since the metamorphic virus changes its shapes, the different versions of a metamorphic virus look like:
Figure 5: Different forms of metamorphic virus (Desai, 2008)
It is believed that 80% of the metamorphic virus code contains the metamorphic engine and the rest 20% is the actual virus code. The metamorphic engine has to be best to produce the best virus. Here the term best refers to the undetectable.
Several Code obfuscation techniques that are used in metamorphic virus are not used in polymorphic or other viruses. These obfuscation techniques make the metamorphic viruses undetectable. Few of the obfuscation techniques used are as follows:
Garbage code insertion
Garbage code (or junk code) insertion is a simple technique used by many metamorphic and polymorphic viruses to evolve their code. The idea behind this technique is to make their code look different so that no usable hexadecimal search string can be extracted. The instructions inserted into the code are called garbage because they have no impact on the functionality of the code. One of the functionalities of Evols' metamorphic engine was to insert garbage between core instructions.
Register Usage Exchange
Another simple technique used by metamorphic viruses is register usage exchange. This method was used by the Win95/Regswap virus, which was created by the virus writer Vecna and released in 1998. Different generations of the virus will use the same code but with different registers. The following two pieces of code belong to two different generations of the Regswap virus:
It is obvious that the complexity of the virus is not high and the different generations have enough common area to enable detection using wildcard strings.
The Win32/Ghost and the Win95/Zperm viruses introduced a new level of metamorphism. Although the virus code is constant, metamorphoses is achieved by dividing the code into frames, and then positions the frames randomly and connect them by branch instructions to maintain the process flow. The branch instructions could be simple jump instructions or a complex transfer of control, such as \push val32; ret." The flow of control always remains the same. The Win32/Ghost virus, which was discovered in May 2000, had the ability to re-order its subroutines from generation to generation. The Win32/Ghost had 10 subroutines, thus there were 3628800 different possible virus generations. This following figure illustrates how a virus re-orders its modules
Figure 6: Illustration of Module Re-Ordering
Insertion of Jump Instruction
Another method used by some metamorphic viruses to create new generations is inserting jump instructions within its code. The Win95/Zperm virus is a very good example of this technique. The virus inserts and removes jump instructions within its code and each jump instruction will point to a new instruction of the virus. An example of Code Reordering using jump instruction is shown below:
Figure 7: Illustration of Jump Instruction
Some metamorphic viruses are able to replace some of their instructions with other equivalent instructions. In addition to jump insertions, Win95/Zperm had the ability to perform instruction replacement. For example, the virus could replace the instruction "xor eax, eax" with the instruction "sub eax, eax." Both instructions perform the same function (zeroing the content of the eax register) but have a different opcode.
Virus creation kits
The metamorphic generators and metamorphic virus are very hard to create. To make this task simple there are few metamorphic generation kits that are readily available online. This makes the task much simpler. These virus creation kits available online make the virus writer's jobs easy. With the help of these kits, even a novice user can create a metamorphic virus. The kits are capable of creating mutating versions of viruses thus making them difficult to identify. Few of the best kits available are Next Generation Virus Creation Kit, Metamorphic Mutation Kits, Second-Generation Virus Generator, Mass Coded Generator and Virus Creation Kit. Out of all these, the Next Generation Virus Creation Kit is considered the best. Lot of research study on this kit has proved that virus scanners have failed to detect the virus generated out of this kit.
The research paper "Hunting for Metamorphic Engine" written by Wing Wong has lot of experiments that are done on the above listed virus generator kits. The metamorphic engine is said to have the following parts
Figure 8: Parts of metamorphic generator kit (Wong & Stamp, Hunting for Metamorphic Engines, 2006)
The disassembler converts the machine language code into assembly language. The shrinker uses code obfuscation techniques to change the original virus code into an equivalent code. The permuter will shuffle and permutate the garbage code and jump statements. The assembler will create the machine code of a new variant that will look different but will have the same functionality.
The Anatomy of the metamorphic engine is illustrated as follows.
Figure 9: Anatomy of Metamorphic Engine
Locate own code: Each time a metamorphic engine is called to transform some code, it must be able to locate. Metamorphic viruses that transform both their own code and the code of their host must be able to locate their own code in the new variants.
Decode: Next, the engine needs to decode the information required to perform the transformations. In order to transform itself, the engine must have some representation of itself so that it knows how to make the transformations. The metamorphic engine may also need to decode other types of information required for analysis or transformation.
Analyze: In order for the metamorphic transformations to work correctly, certain information must be available. For some transformations to be performed correctly, the engine must have register liveness information available. If such information is not available, the metamorphic engine itself must construct it.
Transform: This unit is responsible for transforming the code into equivalent code. This is done usually by replacing instruction blocks in the code with other equivalent.
Attach: The last step that the metamorphic engine has to take, is to attach the new generation of the virus to a new host file.
The units are ordered according to the direction of information flow, which is not necessarily the execution order. The feedback loop shows that the output of a metamorphic engine may become its input in the next generation.
Proposed Metamorphic virus
Many metamorphic viruses are available. Few of them are very simple ones and few are very disastrous ones. The strength of the metamorphic virus depends upon the generator, which the virus uses.
The key goals of a metamorphic malware author are in thwarting detection by reducing the number of identifiable patterns, and by raising the level of difficulty for analysis. For the former purpose, program transformations are selected that alter the form of the code without affecting its functionality. In general, the aim is for maximal change in form between all variants created. For the latter purpose, obfuscating transformations can be used, or transformations can be selected that require the solution of problems too difficult for scanners to perform.
The type of metamorphic virus that I am proposing is different from the already existing one. It is known that metamorphic virus code has 80% of the metamorphic engine. The viruses available until now just have standalone engines. However, none of the metamorphic virus carries its engine wherever it goes. My thesis aim is to insert the generator in the virus code so that where ever the virus mutates, it carries its generator along with it.
Metamorphic viruses transform their code as they propagate, thus evading detection by static signature based virus scanners, metamorphic viruses use several metamorphic transformations, including register renaming, code permutation, code expansion, code shrinking, and garbage code insertion. NGVCK and VCL32 are virus generator's, which can automatically generate variations of virus.Virus writers, and anti-virus researchers generally agree that metamorphism is a potent method for generating difficult-to-detect viruses. Several virus writers have released virus creation kits and claimed that they possess the ability to automatically produce morphed virus variants that look substantially different from one another. My thesis will aim at joining the virus along with its generator, to produce a new type of metamorphic virus.