Divya's Blog

Posts Tagged ‘Source code

  • A POLYMORPHIC virus  produces varied but operational copies of itself.
  • These strategies have been employed in the hope that virus scanners (see D1) will not be able to detect all instances of the virus.
  • One method of evading scan string-driven virus detectors is self-encryption with a variable key.
  • These viruses (e.g. Cascade) are not termed “polymorphic”, as their decryption code is always the same. Therefore the decryptor can be used as a scan string by the simplest scan string-driven virus scanners.

A technique for making a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus).

A scan string-driven virus scanner would have to exploit several scan strings (one for each possible decryption method) to reliably identify a virus of this kind.

More sophisticated polymorphic viruses (e.g. V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with “noise” instructions (e.g. a No Operation instruction or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A).

A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus; rather, a sophisticated “scanning engine” has to be constructed after thorough research into the particular virus.

  • One of the most sophisticated forms of polymorphism used so far is the “Mutation Engine” (MtE) which comes in the form of an object module.
  • With the Mutation Engine any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
  • The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 6 other followers

Subscribe our Blog

CLUSTER MAPS Locations of visitors to this page


Error: Please make sure the Twitter account is public.