Polymorphic code

From Wikipedia, the free encyclopedia

Jump to navigationJump to search

Not to be confused with Polymorphism (computer science).

This article needs additional citations for verification. Please help improve this article by adding
citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Polymorphic code" – news · newspapers · books · scholar · JSTOR (November 2010)
(Learn how and when to remove this template message)

In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the
original algorithm intact - that is, the code changes itself every time it runs, but the function of the
code (its semantics) will not change at all. For example, the simple math expressions 3+1 and 6-2
both achieve the same result, yet run with different machine code in a CPU. This technique is
sometimes used by computer viruses, shellcodes and computer worms to hide their presence.[1]

Encryption is the most common method to hide code. With encryption, the main body of the code
(also called its payload) is encrypted and will appear meaningless. For the code to function as before,
a decryption function is added to the code. When the code is executed, this function reads the
payload and decrypts it before executing it in turn.

Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair
is mutated with each copy of the code. This allows different versions of some code which all function
the same.[2]

Contents

1Malicious code

2Example

3See also

4References

Malicious code[edit]

Most anti-virus software and intrusion detection systems (IDS) attempt to locate malicious code by
searching through computer files and data packets sent over a computer network. If the security
software finds patterns that correspond to known computer viruses or worms, it takes appropriate
steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to
recognize the offending code because it constantly mutates.

Malicious programmers have sought to protect their encrypted code from this virus-scanning
strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each
time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find
underlying patterns within the different mutations of the decryption engine, in hopes of reliably
detecting such malware.
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in
a virtual environment before utilizing other methods, such as traditional signature scanning. Such a
virtual environment is sometimes called a sandbox. Polymorphism does not protect the virus against
such emulation if the decrypted payload remains the same regardless of variation in the decryption
algorithm. Metamorphic code techniques may be used to complicate detection further, as the virus
may execute without ever having identifiable code blocks in memory that remains constant from
infection to infection.

The first known polymorphic virus was written by Mark Washburn. The virus, called 1260, was
written in 1990. A better-known polymorphic virus was created in 1992 by the hacker Dark Avenger
as a means of avoiding pattern recognition from antivirus software. A common and very virulent
polymorphic virus is the file infecter Virut.

Example[edit]

This example is not really a polymorphic code but will serve as an introduction to the world of
encryption via the XOR operator. For example, in an algorithm using the variables A and B but not
the variable C, there could be a large amount of code that changes C, and it would have no effect on
the algorithm itself, allowing it to be changed endlessly and without heed as to what the final
product will be.

Start:
GOTO Decryption_Code

Encrypted:
...lots of encrypted code...

Decryption_Code:
C=C+1
A = Encrypted
Loop:
B = *A
C = 3214 * A
B = B XOR CryptoKey
*A = B
C=1
C=A+B
A=A+1
GOTO Loop IF NOT A = Decryption_Code
C = C^2
GOTO Encrypted
CryptoKey:
some_random_number

The encrypted code is the payload. To make different versions of the code, in each copy the garbage
lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can
search the code between Decryption_Code and CryptoKey and each algorithm for new code that
does the same thing. Usually, the coder uses a zero key (for example; A xor 0 = A) for the first
generation of the virus, making it easier for the coder because with this key the code is not
encrypted. The coder then implements an incremental key algorithm or a random one.

See also[edit]

Timeline of notable computer viruses and worms

Metamorphic code

Self-modifying code

Alphanumeric shellcode

Shellcode

Software cracking

Security cracking

Obfuscated code

Oligomorphic code

References[edit]

^ Raghunathan, Srinivasan (2007). Protecting anti-virus software under viral attacks (M.Sc.). Arizona
State University. CiteSeerX 10.1.1.93.796.

^ Wong, Wing; Stamp, M. (2006). "Hunting for Metamorphic Engines". Journal in Computer Virology.
2 (3): 211–229. CiteSeerX 10.1.1.108.3878. doi:10.1007/s11416-006-0028-7. S2CID 8116065.

Spinellis, Diomidis (January 2003). "Reliable identification of bounded-length viruses is NP-

complete". IEEE Transactions on Information Theory. 49 (1): 280–4. doi:10.1109/TIT.2002.806137.

Categories:

Types of malware

Navigation menu

Not logged in

Talk

Contributions

Create account

Log in

Article

Talk

Read

Edit

View history
Main page

Contents

Current events

Random article

About Wikipedia

Contact us

Donate

Contribute

Help

Learn to edit

Community portal

Recent changes

Upload file

Tools

What links here

Related changes

Special pages

Permanent link

Page information

Cite this page

Wikidata item

Print/export

Download as PDF

Printable version

Languages

Español

‫فارسی‬
Français

한국어

Italiano

Bahasa Melayu
日本語

Русский

Tiếng Việt

7 more

Edit links

This page was last edited on 24 September 2022, at 21:41 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License 3.0; additional terms
may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a
registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

Privacy policy

About Wikipedia

Disclaimers

Contact Wikipedia

Mobile view

Developers

Statistics

Cookie statement