In this chapter, we’ll learn about the advanced self-protection techniques computer virus writers have developed over the years to fight back against scanners. In particular, we’ll learn about encrypted, oligomorphic, polymorphic and advanced metamorphic computer viruses.

Evolution of code

The biggest enemy of a virus writer are scanner products that are the most popular of current antivirus software. Generic AV solutions, such as inteegrity checking and behaviour blocking, never managed to apparoch the popularity of antivirus scanner.

In fact, such generic virus detection models need a lot more thought and technology in place under Windows platforms. As a result, some people draw the incorrect conclusion that these techniques are not useful. Although modern computing developed extremely quickly, for a long time binary virus could not catch up with the technological challenges.

In fact, the DOS viruses evolved to a very complex level until 1996. At that point, howerver, 32-bit Windows started to dominate the market and as a result, virus writers had to go back years in binary virus development.

Encrypted viruses

From the very early days, virus writers tried to implement virus code evolution. One of the easiest ways to hide the functionality of the virus code was encryption. Upon its execution, the decryptor first decrypts the virus body and only then executes the malicious code.

Encryption alone cannot be considered polymorphic because for it to be considered so, the decryptor/encryptor must mutate each copy of the code, in order to have multiple different encrypted viruses but with the same functionalities.

Oligomorphic viruses

Virus writers quickly realized that detection of an encrypted virus remains simple for the antivirus software as long as the code of the decryptor itself is long enough and unique enough. To challenge the antivirus products further, they decided to implement techniques to create mutated decryptors.

Unlike encrypted viruses, oligomorphic viruses do change their decryptors in new generations. The simplest technique to change the decryptors is to use a set of decryptors instead of a single one.

Some viruses are really challenging even to automated analysis products to identify because they change slightly the implementation of the decryptors very rarely.

Polymorphic viruses

Polymorphic viruses are way more sophisicated because the virus can mutate the decryptor to a high number of different instances that can take millions of different forms. We can achieve those big numbers simply because the virus inserts garbage code inside the decryptor, leading to an insane amount of permutations.

Metamorphic viruses

Virus writers still must often waste weeks or months to create a new polymorphic virus that does not have chance to appear in the wild because of its bugs. On the other hand, a researcher might be able to deal with the detection of such a virus in a few minutes or few days. One of the reasons for this is that there are a surprisingly low number of efficient external polymorphic engines.

Metamorphic viruses do not have a decryptor or a constant virus body but are able to create new generations that look different. They do not use a data area filled with string constants but have one single-code body that carries data as code

  1. The Art of Computer Virus Research and Defense, Chapter 7