SlideShare a Scribd company logo
The Mechanism of Polymorphic
   and Metamorphic Virus

                          Li Xufang
   CSIT-TL@NTU Computer Security Lab
What is a polymorphic virus?

 A polymorphic virus is a computer virus which is capable of mutating
 itself when it replicates, making it more difficult to identify with
 original antivirus software.
 A sophisticated type of virus – polymorphic virus that can wreak
 havoc on a computer system while avoiding detection.
 “ Chameleon” is the first polymorphic virus in the early ’90s.
 Dos polymorphic virus can infect com files, Exe files and the Master
 Boot Record with encryption, instruction mutation and stealth
     MTE 0.90 (Mutation Engine),
     TPE (Trident Polymorphic Engine), four versions
     NED (Nuke Encryption Device),
     DAME (Dark Angel's Multiple Encryptor)
  In early 1992 the famous ‘Dedicated’ virus appears, based on the
  first known polymorphic generator MTE
Polymorphism techniques
 Entry point obfuscation (EPO)
 Garbage code insertion
    Nop opcode insertion
    Complex dead codes are given, which are useless instructions and semantically
    equivalent to no operation
 Encryptor and decryptor
 Instruction permutation
 Instruction placement
 Pseudo-random index decryption (PRGA)
    The PRGA modifies the state and outputs a byte of the key stream. In each
    iteration, the PRGA increments i, adds the value of S pointed to by i to j,
    exchanges the values of S[i] and S[j], and then outputs the element of S at the
    location S[i] + S[j] (modulo 256). Each element of S is swapped with another
    element at least once every 256 iterations.(RC4:
 Out-of-order decode generation
 Register randomization
 Polymorphic generator
Polymorphic decryptor – Malicious
All ciphering algorithms are not equivalent, like a XOR with a short
key, it is easy to crypt analyze
Another well-tested algorithm is no way to retrieve the key ( like
Random Decryption Algorithm (RDA))
The weak crypto
   Deterministic RDA: the computation time is always the same (W32/Crypto)
   Non-deterministic RDA: the computation time can not be guessed (W32/IHSix)
The strong crypto
   A deciphering function D gathers the information needed to compute the key and
   decipher the corresponding code.
   Encrypted code EVP1 (key k1) contains all the anti-anti-viral mechanisms.
   Encrypted code EVP2 (key k2) is in charge of the infection and
   polymorphism/metamorphism mechanisms.
   Encrypted code EVP3 (key k3) contains all the optional payloads.

   (Frederic Raynal. “Malicious Cryptography, Part two”. Symantec techniques
    papers, 15 May 2006)
How is a polymorphic created?

                                  Key 1

Polymorphic Engine
                                  Key 2

  Constantly create
  new random
  encryptions of the
  same virus body                 Key n
  with different keys.
Polymorphic Encryption Techniques

 Simple encryption
    “XOR”, “ADD” , A becomes B, B becomes C, C becomes D.
 Advanced technology
    XYZ, X is encrypted by the A, Y is encrypted by the B, Z is encrypted by the C.
 Long character key for the encryption, decrypt the code with a long
 key in turn
     WVYYX, key is ABCD, W with A, V with B, first Y with C, next Y with A, X with B.
    the key is hard to guess.
 Mutation encrypt: multiple encrypt method, encrypt the code again
 with the different key or the same key
 Transposition encrypt: it is definitely weak, because random key
 should construct the original opcode.
Win32/Vundo Polymorphic virus

      Entry Point Obfuscation (EPO)

      Instruction permutation

Opcode: 24E9 A4 FD FF FF FF81F03779DB
To: E9A4FDFFFF 81F03779DB07
Win32/Vundo Polymorphic Virus
              EP                Nop
                                jmp short loc_10001E84
                                call eax
 push ecx                       push ecx
 Jmp short loc_100012EF         pop ecx
                                add esp, 2
                                jmp short loc_10001EA5
 Jmp loc_10001098

 Loc_10001098                   ... …
 ror al, cl                     Nop
 and ax, 7F4Dh                  jmp short loc
 sub eax, [esp+8+var_8]         ……
 and eax, 0                     jmp short loc
 add eax, offset sub_1000170E
 jmp loc_1000166E

                                ... …
                                jmp eax
jmp short loc_1000167D

                                ... …
                                Xor al, cl
push dword ptr [esp+8]
                                Mov ax, 1F07h
xchg bx, bx
                                Shr ax, cl
jmp loc_10001E74
                                Mov al, [eax]
Win32/Vundo Polymorphic Virus

 Execution flow modification

  Entry Point

   Jump 1         Junk         Jump 2    Junk      Jump 3

 Entropy data    Jump n         Junk    Jump n-1    Junk
What is metamorphic virus?

  In computer virus terms, metamorphic code is code that can
  reprogram itself. Often, it does this by translating its own code into a
  temporary representation, editing the temporary representation of itself,
  and then writing itself back to normal code again
  A metamorphic virus is one that is capable of rewriting its own code with
  each infection, or generation of infection, while maintaining the same
• Simile
• Zmist
Metamorphism technology

 Entry point obfuscation (EPO)
 Code permutation
    Conditional jumps or unconditional braches control
 Execution flow modification
    Insert jump and call instructions
 Code integration
    Code is inserted into another piece . Relocation and data references are updated
    accordingly (Win32/Zmist)
 Metamorphism generator
 Polymorphic decryptor
  Anti- Emulator
Example of code emulation

     From Szor and Ferrie, “Hunting for Metamorphic”
Emulation process and virus detection

          Randomly generates a new key                  Decrypt and execute
         and corresponding decryptor code

                                                                 Mutation A

Virus body

                                                                 Mutation B

                                                                 Mutation C

 To detect an unknown mutation               of a known virus     ,
 emulate CPU execution of            until the current sequence of
 instruction opcodes matches the known sequence for virus body
                                                                              slide 13
W32/Zmist virus
 It is written by Zombie, a Russian legal polymorphic and
 metamorphic virus writer
 Entry point obscuring virus
 Randomly use an additional polymorphic decryptor
 Code integration technology
 Mistfall engine – it is capable of decompiling portable executable
 files to its small elements
 Regenerate code and data references, including the relocation
 information and rebuild the executable
 Insert jump instructions after every single instructions of the code
 Perfect anti-heuristics virus
 Not see a single crash during the test replications
Simplified Zmist Infection Process

                                                                                                                  Randomly insert
                                                                                                                  indirect call OR jump
                                                                                                                  to descryptor's entry
                                                                                                                  point OR rely on
                                                                                                                  instruction flow to
                                                                                                                  reach it

     Pick a portable
      executable                                                Descryptor
     binary <448kb                                              must
     in size                                                    restore host’s
                                                                registers to
                                                                preserve host’s

Disassemble, insert space for new   Insert mutated virus body                 Encrypt virus body by      Insert random garbage
code blocks, generate new binary     Split into jump-linked “islands”         XOR (ADD, SUB) with a      instructions using
                                     Mutate opcodes (XOR↔SUB, OR↔TEST)        randomly generated key,    Executable Trash Generator
                                     Swap register moves and PUSH/POP, etc.   insert mutated decryptor
                                                                                                                              slide 15
The popular polymorphic and metamorphic
            virus for windows
Win32/Fujacks metamorphic virus

 File size: 173,580 bytes
 A variant of metamorphic virus
 Infect the PE, Compress files (.RAR.ZIP et al) and possibly HTML
 files with malicious hyperlinks of windows ANI 0-day exploit
 Upon execution. It drops itself (TXPlatform.exe) and infected files
 Create Desktop_1.ini: Located in infected folder and tag the infected
 data-detected as W32/Fujacks.remnants virus
 Autorun worm virus
 Infected type: Pre-pending
Win32/Fujacks Metamorphic Virus Technique
                                     Entry Point
    Entry point obfuscation (EPO),
    Garbage code insertion
    Instruction permutation
    Register randomization (EDI,
    and ESI)
     Garbage insertion (From EP
    Anti-Virtual Machine
    Internal packed
    Decompress algorithm
W32/Fujacks: Payload Technique

                        (MS06-050) Microsoft
                        Hyperlink Object Function
                        Vulnerability (KB920670)
                        A remote code execution
                        vulnerability exists in the
                        hyperlink object Library
                        This virus exploits the
                        vulnerability by constructing a
                        malicious hyperlink which
                        could potentially lead to
                        remote code execution, drop
                        or download malware codes

                        Hyperlink with malicious code
Compressed files are Infected by Fujacks virus

  It can decompress .RAR, .zip files and infected the internal PE files.
  Infect type: pre-pending

                    Decompr                            Malicious Codes
                    essing                 Infecting
 Compressed files             PE files

                                                        Infected files
Win32/Fujacks Running Process

                PE1                                    1. Drop malicious code

 PE HEADER                                             2. Infect PE files on all
                                     Malicious codes   folders

                                                       3. Pre-pending
                                                       4. Decompression
 EP + Garbage                                          files
    codes                                              5. Hyperlink exploit
                                                       6. Autorun
  Pack part                          Main File
                  Running process   (Unpacked)         7 Anti debugger
                                                       8. Anti virtual machine

                                    Infected files
 Decryptor      PE2
Win32/Fujacks Metamorphic virus

                  PE Header

                  Poly instructions

Infector virus
                   Encrypted data

                 Decryption engine

                   Infected file
The novel analysis and detection methods for
          complex computer virus
Control flow methods
Behavior monitor
   Monitoring files (dropper, download, rewrite, insert)
   Monitoring registry
   Monitoring network
   Memory monitor
   Hooking monitor
   API call monitor
   Process monitor
Heuristic detection
Semantic analysis and detection
API call
Opcode malware detection and analysis
Entropy calculator
•    Robert Lyda and Jim Hamrock. “Using Entropy Analysis to Find Encrypted and Packed Malware”.
     IEEE Security & Privacy, pp. 40-45, 2007
•    Information Technology Security Report Lead Agency Publication R2-002, “Future Trends in
     Malicious Code – 2006 Report”.
•    McAfee. McAfee virtual criminology report, “Virtually Here: The Age of Cyber Warfare” McAfee,
     Inc, 2009
•    Understanding and Managing Polymorphic Viruses. The Symantec Enterprise Papers (1996)
•    Evgenios Konstantinou, Stephen Wolthusen, “Metamorphic Virus: Analysis and Detection”.
     Technical Report, RHUL-MA-2008-02
•    Szor, P and Ferrie, P. “Hunting for Metamorphic”. Virus Bulletin Conference (2003).
•    Adrian E. Stepan. “Defeating Polymorphism beyond Emulation”. Virus Bulletin Conference
     October 2005
•    Igor Santos, Felix Brezo, Javier Nieves, et al. “Idea: Opcode-Sequence-Based Malware
     Detection”. Computer Science, Engineering Secure Software and System, pp. (5969) 35-43,
•    Ulrich Bayer, Engin Kirda and Christopher Kruegel, “Improving the Efficiency of Dynamic Malware
     Analysis”, 25th Symposium on Applied Computing (SAC), Track on Information Security Research
     and Applications, 2010
•    Alsagoff, S.N. Malware self protection mechanism issues in conducting malware behavior analysis
     in a virtual environment as compared to a real environment. 2010 International Symposium in
     Information Technology (ITSim), pp.1326-1331, 2010
•   Asaf Shabtai, Robert Moskovitch, et al. Detection of malicious code by applying machine learning
    classifiers on static features: A state-of-the-art survey. Information Security Technical Report 14
    (2009) 16-29
•   Cesare, S and Yang Xiang. “A Fast Flowgraph Based Classification System for Packed and
    Polymorphic Malware on the Endhost”. Advanced Information Networking and Applications
    (AINA), 2010 24th IEEE International Conference on Digital Object Identifier. pp. 721-728, 2010
•   Vx heavens.
•   Yong Tang, Bin Xiao, Xicheng Lu. Using a bioinformatics approach to generate accurate exploit-
    based signatures for polymorphic worms. Journal of Computer & Security 28 (2009). pp. 827-842
•   Aditya Govindaraju. Exhaustive Statistical Analysis for Detection of Metamorphic Malware. Master
    project, Department of Computer Science, San Jose State University, spring 2010
•   David M. Chess and Steve R. White. An Undetectable Computer Virus. IBM Thomas J. Watson
    Research Center, Hawthorne, New York, USA
•   Song Y, Locasto ME, Stavrou A, Keromytis AD, Stolfo SJ. On the infeasibility of modeling
    polymorphic shellcode. In: ACM conference on computer and communications security (CCS);
•   Danilo Bruschi, Lorenzo Martignoni, Mattia Monga. Detecting self-mutating malware using control-
    flow graph matching. Lecture Notes in Computer Science, 2006, Vol 4046, Detection of Intrusions
    and Malware & Vulnerability Assessment, PP. 129-143

•   Arlington, Virginia. Malware Detection and Classification From Byte-Patterns to Control Flow
    Structures to Entropic Defenses. Cyber Genome Project DARPA workshop, University of New
    Orleans, Department of Computer Science. December 2009
•   Lorenzo Cavallaro, Prateek Saxena and R.Sekar. On the limits of information flow techniques for
    malware analysis and containment. Lecture Notes in Computer Science, 2008, Vol 5137,
    Detection of Intrusion and Malware, and Vulnerability Assessment, pp. 143-163
•   Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane, Arun Lakhotia. “Constructing
    malware normalizes using term rewriting. Journal of Computer Virology, pp. (4) 307-322, 2008
•   Frederic perriot, Peter Szor, Peter Ferrie. Striking similarities: Win32/simile and metamorphic virus
    code. Technical report, Symantec, 2003
•    Peter Szor. Zmist opportunities. Virus Bulletin Conference, March 2001, pp. 6-7
•   Felix Leder, Bastian Steinbock, Peter Martini. Classification and detection of metamorphic
    malware using value set analysis.
•   Kevin A. Roundy, Barton P. Miller. Hybrid analysis and control of malware. Lecture Notes in
    Computer Science, 2010, Vol 6370, Recent Advances in Intrusion Detection, pp. 317-338

•   Sharif, M., Lanzi, A., Giffin, J., Lee, W. Impeding malware analysis using conditional code
    obfuscation. In Network and Distributed System Security Symposium. San Diego, CA (2008)
•   Spinellis, D. Reliable identification of bounded–length viruses is NP-complete. Information Theory,
    IEEE Transactions, Vol 49. pp. 280-284, January 2003
•   Polymorphic Code:
•   Khalid Alzarouni, David Clark, Laurence Tratt. Semantic Malware Detection. Technical Report TR-
    10-03, 16 February 2010.
•   Mohamed R. Chouchane, Andrew Walenstein, Arun Lakhotia. Statistical Signature for Fast
    Filtering of Instruction-substituting Metamorphic Malware. In Proc. Worm 07, November 2007,
    Alexandria, Virgina, USA, ACM Press
•   Peter Ferrie, Frederic perriot. Detecting Complex Viruses. Symantec Community : Security
•   McAfee Threat Intelligence:
•   Virus Bulletin: Glossary - Metamorphic virus:
Thanks for your kind

More Related Content

What's hot

LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
Martin Děcký
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
Monkey-patching in Python: a magic trick or a powerful tool?
Monkey-patching in Python: a magic trick or a powerful tool?Monkey-patching in Python: a magic trick or a powerful tool?
Monkey-patching in Python: a magic trick or a powerful tool?
Elizaveta Shashkova
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Nguyen Thanh
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protections
Shubham Dubey
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
Java Nio 2
Java Nio 2Java Nio 2
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
Bhoomil Chavda
[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configuration
Wahyu Nasution
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
Kernel TLV

What's hot (20)

LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
Static Routing
Static RoutingStatic Routing
Static Routing
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Monkey-patching in Python: a magic trick or a powerful tool?
Monkey-patching in Python: a magic trick or a powerful tool?Monkey-patching in Python: a magic trick or a powerful tool?
Monkey-patching in Python: a magic trick or a powerful tool?
Spring Security
Spring SecuritySpring Security
Spring Security
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Network Drivers
Network DriversNetwork Drivers
Network Drivers
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protections
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Java Nio 2
Java Nio 2Java Nio 2
Java Nio 2
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
Cisco hsrp configuration
Cisco hsrp configurationCisco hsrp configuration
Cisco hsrp configuration
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases

Similar to Mechanism Of Polymorphic And Metamorphic Virus

Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
Model-checking for efficient malware detection
Model-checking for efficient malware detectionModel-checking for efficient malware detection
Model-checking for efficient malware detection
Pôle Systematic Paris-Region
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Vincenzo Iozzo
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
Felipe Prado
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallKarlFrank99
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
Jonathan Salwan
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Willem van Ketwich
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
Tomer Zait

Similar to Mechanism Of Polymorphic And Metamorphic Virus (20)

Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
Model-checking for efficient malware detection
Model-checking for efficient malware detectionModel-checking for efficient malware detection
Model-checking for efficient malware detection
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And Kendall
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack

Mechanism Of Polymorphic And Metamorphic Virus

  • 1. The Mechanism of Polymorphic and Metamorphic Virus Li Xufang CSIT-TL@NTU Computer Security Lab
  • 2. What is a polymorphic virus? A polymorphic virus is a computer virus which is capable of mutating itself when it replicates, making it more difficult to identify with original antivirus software. A sophisticated type of virus – polymorphic virus that can wreak havoc on a computer system while avoiding detection. “ Chameleon” is the first polymorphic virus in the early ’90s. Dos polymorphic virus can infect com files, Exe files and the Master Boot Record with encryption, instruction mutation and stealth capability. MTE 0.90 (Mutation Engine), TPE (Trident Polymorphic Engine), four versions NED (Nuke Encryption Device), DAME (Dark Angel's Multiple Encryptor) In early 1992 the famous ‘Dedicated’ virus appears, based on the first known polymorphic generator MTE
  • 3. Polymorphism techniques Entry point obfuscation (EPO) Garbage code insertion Nop opcode insertion Complex dead codes are given, which are useless instructions and semantically equivalent to no operation Encryptor and decryptor Instruction permutation Instruction placement Pseudo-random index decryption (PRGA) The PRGA modifies the state and outputs a byte of the key stream. In each iteration, the PRGA increments i, adds the value of S pointed to by i to j, exchanges the values of S[i] and S[j], and then outputs the element of S at the location S[i] + S[j] (modulo 256). Each element of S is swapped with another element at least once every 256 iterations.(RC4: Out-of-order decode generation Register randomization Polymorphic generator
  • 4. Polymorphic decryptor – Malicious Cryptography All ciphering algorithms are not equivalent, like a XOR with a short key, it is easy to crypt analyze Another well-tested algorithm is no way to retrieve the key ( like Random Decryption Algorithm (RDA)) The weak crypto Deterministic RDA: the computation time is always the same (W32/Crypto) Non-deterministic RDA: the computation time can not be guessed (W32/IHSix) The strong crypto A deciphering function D gathers the information needed to compute the key and decipher the corresponding code. Encrypted code EVP1 (key k1) contains all the anti-anti-viral mechanisms. Encrypted code EVP2 (key k2) is in charge of the infection and polymorphism/metamorphism mechanisms. Encrypted code EVP3 (key k3) contains all the optional payloads. (Frederic Raynal. “Malicious Cryptography, Part two”. Symantec techniques papers, 15 May 2006)
  • 5. How is a polymorphic created? Key 1 Polymorphic Engine Key 2 Constantly create new random encryptions of the same virus body Key n with different keys.
  • 6. Polymorphic Encryption Techniques Simple encryption “XOR”, “ADD” , A becomes B, B becomes C, C becomes D. Advanced technology XYZ, X is encrypted by the A, Y is encrypted by the B, Z is encrypted by the C. Long character key for the encryption, decrypt the code with a long key in turn WVYYX, key is ABCD, W with A, V with B, first Y with C, next Y with A, X with B. the key is hard to guess. Mutation encrypt: multiple encrypt method, encrypt the code again with the different key or the same key Transposition encrypt: it is definitely weak, because random key should construct the original opcode.
  • 7. Win32/Vundo Polymorphic virus Entry Point Obfuscation (EPO) Instruction permutation Opcode: 24E9 A4 FD FF FF FF81F03779DB To: E9A4FDFFFF 81F03779DB07
  • 8. Win32/Vundo Polymorphic Virus Loc_10001E74 EP Nop jmp short loc_10001E84 Loc_10001E84: call eax push ecx push ecx Jmp short loc_100012EF pop ecx add esp, 2 Nop Nop Loc_100012EF jmp short loc_10001EA5 Jmp loc_10001098 Loc_10001098 ... … ror al, cl Nop and ax, 7F4Dh jmp short loc sub eax, [esp+8+var_8] …… and eax, 0 jmp short loc add eax, offset sub_1000170E jmp loc_1000166E ... … Nop Loc_1000166E jmp eax nop …… jmp short loc_1000167D ... … Loc: Loc_1000167D Xor al, cl push dword ptr [esp+8] Mov ax, 1F07h xchg bx, bx Shr ax, cl jmp loc_10001E74 Mov al, [eax] ……
  • 9. Win32/Vundo Polymorphic Virus Execution flow modification Entry Point Jump 1 Junk Jump 2 Junk Jump 3 ... Entropy data Jump n Junk Jump n-1 Junk
  • 10. What is metamorphic virus? In computer virus terms, metamorphic code is code that can reprogram itself. Often, it does this by translating its own code into a temporary representation, editing the temporary representation of itself, and then writing itself back to normal code again A metamorphic virus is one that is capable of rewriting its own code with each infection, or generation of infection, while maintaining the same functionality • Simile • Zmist
  • 11. Metamorphism technology Entry point obfuscation (EPO) Code permutation Conditional jumps or unconditional braches control Execution flow modification Insert jump and call instructions Code integration Code is inserted into another piece . Relocation and data references are updated accordingly (Win32/Zmist) Metamorphism generator Polymorphic decryptor Anti- Emulator Anti-debugger Payload Stealth
  • 12. Example of code emulation From Szor and Ferrie, “Hunting for Metamorphic”
  • 13. Emulation process and virus detection Randomly generates a new key Decrypt and execute and corresponding decryptor code Mutation A Virus body Mutation B Mutation C To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body slide 13
  • 14. W32/Zmist virus It is written by Zombie, a Russian legal polymorphic and metamorphic virus writer Entry point obscuring virus Randomly use an additional polymorphic decryptor Code integration technology Mistfall engine – it is capable of decompiling portable executable files to its small elements Regenerate code and data references, including the relocation information and rebuild the executable Insert jump instructions after every single instructions of the code section Perfect anti-heuristics virus Not see a single crash during the test replications
  • 15. Simplified Zmist Infection Process Randomly insert indirect call OR jump to descryptor's entry point OR rely on instruction flow to reach it Pick a portable executable Descryptor binary <448kb must in size restore host’s registers to preserve host’s functionality Disassemble, insert space for new Insert mutated virus body Encrypt virus body by Insert random garbage code blocks, generate new binary Split into jump-linked “islands” XOR (ADD, SUB) with a instructions using Mutate opcodes (XOR↔SUB, OR↔TEST) randomly generated key, Executable Trash Generator Swap register moves and PUSH/POP, etc. insert mutated decryptor slide 15
  • 16. The popular polymorphic and metamorphic virus for windows
  • 17. Win32/Fujacks metamorphic virus File size: 173,580 bytes A variant of metamorphic virus Infect the PE, Compress files (.RAR.ZIP et al) and possibly HTML files with malicious hyperlinks of windows ANI 0-day exploit Upon execution. It drops itself (TXPlatform.exe) and infected files (regedit.exe) Create Desktop_1.ini: Located in infected folder and tag the infected data-detected as W32/Fujacks.remnants virus Autorun worm virus Infected type: Pre-pending
  • 18. Win32/Fujacks Metamorphic Virus Technique Entry Point Entry point obfuscation (EPO), Garbage code insertion Instruction permutation Register randomization (EDI, and ESI) Garbage insertion (From EP to ) Anti-debugger Anti-Virtual Machine Internal packed Decompress algorithm
  • 19. W32/Fujacks: Payload Technique (MS06-050) Microsoft Hyperlink Object Function Vulnerability (KB920670) A remote code execution vulnerability exists in the hyperlink object Library This virus exploits the vulnerability by constructing a malicious hyperlink which could potentially lead to remote code execution, drop or download malware codes Hyperlink with malicious code
  • 20. Compressed files are Infected by Fujacks virus It can decompress .RAR, .zip files and infected the internal PE files. Infect type: pre-pending Decompr Malicious Codes essing Infecting Compressed files PE files Infected files
  • 21. Win32/Fujacks Running Process PE1 1. Drop malicious code PE HEADER 2. Infect PE files on all Malicious codes folders 3. Pre-pending infection 4. Decompression EP + Garbage files codes 5. Hyperlink exploit 6. Autorun Pack part Main File Running process (Unpacked) 7 Anti debugger 8. Anti virtual machine Infected files Decryptor PE2
  • 22. Win32/Fujacks Metamorphic virus PE Header Poly instructions Infector virus Encrypted data Decryption engine Infected file
  • 23. The novel analysis and detection methods for complex computer virus Control flow methods Behavior monitor Monitoring files (dropper, download, rewrite, insert) Monitoring registry Monitoring network Memory monitor Hooking monitor API call monitor Process monitor Heuristic detection Semantic analysis and detection API call Opcode malware detection and analysis Entropy calculator
  • 24. Reference: • Robert Lyda and Jim Hamrock. “Using Entropy Analysis to Find Encrypted and Packed Malware”. IEEE Security & Privacy, pp. 40-45, 2007 • Information Technology Security Report Lead Agency Publication R2-002, “Future Trends in Malicious Code – 2006 Report”. • McAfee. McAfee virtual criminology report, “Virtually Here: The Age of Cyber Warfare” McAfee, Inc, 2009 • Understanding and Managing Polymorphic Viruses. The Symantec Enterprise Papers (1996) • Evgenios Konstantinou, Stephen Wolthusen, “Metamorphic Virus: Analysis and Detection”. Technical Report, RHUL-MA-2008-02 • Szor, P and Ferrie, P. “Hunting for Metamorphic”. Virus Bulletin Conference (2003). • Adrian E. Stepan. “Defeating Polymorphism beyond Emulation”. Virus Bulletin Conference October 2005 • Igor Santos, Felix Brezo, Javier Nieves, et al. “Idea: Opcode-Sequence-Based Malware Detection”. Computer Science, Engineering Secure Software and System, pp. (5969) 35-43, 2010. • Ulrich Bayer, Engin Kirda and Christopher Kruegel, “Improving the Efficiency of Dynamic Malware Analysis”, 25th Symposium on Applied Computing (SAC), Track on Information Security Research and Applications, 2010 • Alsagoff, S.N. Malware self protection mechanism issues in conducting malware behavior analysis in a virtual environment as compared to a real environment. 2010 International Symposium in Information Technology (ITSim), pp.1326-1331, 2010
  • 25. Reference: • Asaf Shabtai, Robert Moskovitch, et al. Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report 14 (2009) 16-29 • Cesare, S and Yang Xiang. “A Fast Flowgraph Based Classification System for Packed and Polymorphic Malware on the Endhost”. Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on Digital Object Identifier. pp. 721-728, 2010 • Vx heavens. • Yong Tang, Bin Xiao, Xicheng Lu. Using a bioinformatics approach to generate accurate exploit- based signatures for polymorphic worms. Journal of Computer & Security 28 (2009). pp. 827-842 • Aditya Govindaraju. Exhaustive Statistical Analysis for Detection of Metamorphic Malware. Master project, Department of Computer Science, San Jose State University, spring 2010 • David M. Chess and Steve R. White. An Undetectable Computer Virus. IBM Thomas J. Watson Research Center, Hawthorne, New York, USA • Song Y, Locasto ME, Stavrou A, Keromytis AD, Stolfo SJ. On the infeasibility of modeling polymorphic shellcode. In: ACM conference on computer and communications security (CCS); 2007 • Danilo Bruschi, Lorenzo Martignoni, Mattia Monga. Detecting self-mutating malware using control- flow graph matching. Lecture Notes in Computer Science, 2006, Vol 4046, Detection of Intrusions and Malware & Vulnerability Assessment, PP. 129-143
  • 26. Reference: • Arlington, Virginia. Malware Detection and Classification From Byte-Patterns to Control Flow Structures to Entropic Defenses. Cyber Genome Project DARPA workshop, University of New Orleans, Department of Computer Science. December 2009 • Lorenzo Cavallaro, Prateek Saxena and R.Sekar. On the limits of information flow techniques for malware analysis and containment. Lecture Notes in Computer Science, 2008, Vol 5137, Detection of Intrusion and Malware, and Vulnerability Assessment, pp. 143-163 • Andrew Walenstein, Rachit Mathur, Mohamed R. Chouchane, Arun Lakhotia. “Constructing malware normalizes using term rewriting. Journal of Computer Virology, pp. (4) 307-322, 2008 • Frederic perriot, Peter Szor, Peter Ferrie. Striking similarities: Win32/simile and metamorphic virus code. Technical report, Symantec, 2003 • Peter Szor. Zmist opportunities. Virus Bulletin Conference, March 2001, pp. 6-7 • Felix Leder, Bastian Steinbock, Peter Martini. Classification and detection of metamorphic malware using value set analysis. • Kevin A. Roundy, Barton P. Miller. Hybrid analysis and control of malware. Lecture Notes in Computer Science, 2010, Vol 6370, Recent Advances in Intrusion Detection, pp. 317-338
  • 27. Reference: • Sharif, M., Lanzi, A., Giffin, J., Lee, W. Impeding malware analysis using conditional code obfuscation. In Network and Distributed System Security Symposium. San Diego, CA (2008) • Spinellis, D. Reliable identification of bounded–length viruses is NP-complete. Information Theory, IEEE Transactions, Vol 49. pp. 280-284, January 2003 • Polymorphic Code: • Khalid Alzarouni, David Clark, Laurence Tratt. Semantic Malware Detection. Technical Report TR- 10-03, 16 February 2010. • Mohamed R. Chouchane, Andrew Walenstein, Arun Lakhotia. Statistical Signature for Fast Filtering of Instruction-substituting Metamorphic Malware. In Proc. Worm 07, November 2007, Alexandria, Virgina, USA, ACM Press • Peter Ferrie, Frederic perriot. Detecting Complex Viruses. Symantec Community : Security Articles. • McAfee Threat Intelligence: • Virus Bulletin: Glossary - Metamorphic virus:
  • 28. Thanks for your kind attention!!!