- Polymorphic code
In computer terminology, polymorphic code is code that mutates while keeping the original
algorithm intact. This technique is sometimes used bycomputer virus es,shellcode s andcomputer worm s to hide their presence.Most
anti-virus software andintrusion detection system s attempt to locate malicious code by searching through computer files and data packets sent over acomputer network . If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.Encryption is the most commonly used method of achieving polymorphism in code.Malicious
programmer s have sought to protect their polymorphic code from this virus-scanning strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting suchmalware .The first known polymorphic virus was written by Mark Washburn. The virus, called 1260, was written in 1990. A more well-known polymorphic virus was invented in 1992 by the Bulgarian cracker
Dark Avenger (apseudonym ) as a means of avoiding pattern recognition from antivirus-software. Other computer cracks like the young antoinejebara1 and Schneiding red wrote polymorphic codes that bypassed entire systems.Example
An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of code that changed the contents of the variable C.
The original algorithm:
Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code ... Decryption_Code: A = Encrypted Loop: B = *A B = B XOR CryptoKey *A = B A = A + 1 GOTO Loop IF NOT A = Decryption_Code GOTO Encrypted CryptoKey: some_random_number
The same algorithm, but with lots of unnecessary C-altering code:
Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code ... Decryption_Code: C = C + 1 A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number
The code inside "Encrypted" ("lots of encrypted code") could then search the code between Decryption_Code and CryptoKey and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could input new unnecessary code that alters C, or even exchange the code in the algorithm for new code that does the same thing. Usually the coder uses a zero key (for example; A
xor 0 = A) for the first generation of the virus, making it easier for him because with this key the code is not encrypted. He then implements an incremental key algorithm or a random one.Another polymorphism technique is to autoinject
NOP (No Operation) or other opcodes that don't alter the algorithm.See also
*
Timeline of notable computer viruses and worms
*Metamorphic code
*Self-modifying code
*Alphanumeric code
*Shellcode
*Software cracking
*Security cracking References
* Diomidis Spinellis. [http://www.spinellis.gr/pubs/jrnl/2002-ieeetit-npvirus/html/npvirus.html Reliable identification of bounded-length viruses is NP-complete] . "IEEE Transactions on Information Theory", 49(1):280–284, January 2003. [http://dx.doi.org/10.1109/TIT.2002.806137 doi:10.1109/TIT.2002.806137]
Wikimedia Foundation. 2010.