Polymorphism is a characteristic of some viruses that allow them to evade detection by purely signature-based antivirus scanners. This typically involves an encryption routine that changes between infections.
Etymology
The word Polymorphic is a combination of the Greek words "poly" meaning many, and "morph" meaning forms. This denotes something that can change itself into many different forms.
Characteristics
A polymorphic virus always consists of an encryption/decryption routine, an encrypted virus body, and a mutation engine that generates randomized decryption routines. When a polymorphic virus is executed, it first must decrypt the the virus body before turning control over to the virus. When the virus infects a file, it encrypts it in a different way from the previous infection.
Traditionally, malicious code was detected using signatures, a string of code that could be reliably found in a virus or any type of malware. As no significant strings of a polymorphic virus stay constant, this detection method is useless. The virus makes a copy of itself and invokes a mutation engine to generate a new encryption routine with a diferent key. This engine produces a randomized encryption routine that changes the file for every new infection. It then encrypts the virus body, including the encryption engine, then attaches it to the file or disk it is infecting.
Detecting Polymorphic Code
Polymorphism was created for the purpose of defeating signature-based scanners, but today they can and are successfuly found and neutralized by antivirus products. Heuristic and behavior based scanners are often successful in catching polymorphic code. Typically this will involve looking for certain features in a piece of code or detecting behavior such as an unusual change to the a registry/configuration file or modification of other executables. Scanners for a long time have had code emulators that were efficient at detecting polymorphic code. Though this method was once CPU-intensive, modern processors can handle it. Emulation plus decryptor detection was a recent development that has proven very effective.
After a polymorphic engine becomes known to antivirus researchers, it becomes a bit of a liability. Multiple viruses can be detected under one detection and the viruses using it will work in the a mostly similar way. However, every new polymorphic engine detection can result in more false positives and negatives.
History
Polymorphic viruses were predicted by Fred Cohen
Chameleon was the first Polymorphic virus, appearing in 1990. This virus was created by researchers looking to test the limits of the antivirus products of the time. It was difficult to detect at first because they relied on looking for strings in viruses to find them. It used two sliding keys and included a lot of junk code in the decryptor to alter its appearance.
The Dark Avenger Mutation Engine appeared in 1991. Before this engine, it was very difficult for new virus coders to make new polymorphic viruses. The engine made it possible to make any virus polymorphic by simply linking the virus to it. The engine was so ingenious that it took one researcher five days to create an algorithm that could detect a virus using it. It did not include any garbage instructions. Many antivirus products had to be recoded to deal with it. Through the 1990s, hundreds of polymorphic engines appeard, most only were used in one or two viruses.
In 1998, Griyo created HPS and Marburg, the first 32-bit polymorphic viruses. He had previously created another polymorphic DOS virus, Implant. HPS's engine was very complex, supporting subroutines using CALL/RET instructions and conditional jumps with nonzero displacement, taking up half the virus's code. It inhibited researchers' ability to test their scanners' detection rate, as the full decryptor is built only during the first initialization phase, making it a slow polymorphic.
The full decryptor is
built only during the first initialization phase, which makes the virus a slow polymorphic.
This means that antivirus vendors cannot test their scanner’s detection
rate efficiently because the infected PC must be rebooted to force the virus to create
a new decryptor.
In 2014, Virlock, the first polymorphic ransomware that was also self-replicating appeared. In 2015, the FBI and Europol worked together to take down the Beebone botnet, spread partly by the Vobfus worm. Kaspersky lab estimated that 97% of all viruses included some kind of polymorphism by 2021.
Polymorphic Code
Polymorphic Viruses and Worms
- Chameleon
- Implant
- Marburg
- Coke
- Fabi
- Dengue
- MetaPHOR
- Zmist
- Begemot
- Blackbat
- Byway
- Class
- Commander
- CTX
- Dedicated
- Dengue
- Desperado
- Elkern
- Goodtimes
- Groove
- Hare
- Hemlock
- Kriz
- Libertine
- Magistr
- Natas
- Onehalf
- Padania
- Pathogen
- Pogue
- Prizzy
- Satanbug
- Sevendust
- Smash
- Starship
- Tannenbaum
- V-Sign
- Whale
- VirLock Ransomware
- VOBFUS
Notable Polymorphic Engines
*Dark Avenger Mutation Engine
*TridenT Polymorphic Engine
*VIP Engine
*VSTE engine
Sources
ashimasaini010. What are Polymorphic Viruses?
Trend Micro, Polymorphic virus.
Arctic Wolf, Cybersecurity Glossary, Polymorphic Virus.
Robert Lipovsky. Welivesecurity.com, Virlock: First Self-Reproducing Ransomware is also a Shape Shifter. 22-DEC-2014
Kaspersky Lab, 2021 What is the Polymorphic Virus?
Peter Szor. The Art of Computer Virus Research and Defense. Addison Wesley, Symantec Press, 2005. pp. 261-268.8 ISBN 0-321-30454-3 {