VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Thoughts about Morphology in viruses

August 2006

[Back to index] [Comments]


  1. Intro Words
  2. Why The Mental Driller was wrong
  3. Artificial Evolution
  4. More or less
  5. Outro

0) Intro Words

For more than 1.5 years I'm thinking about this topic, and recently I saw that it is important to let you know about it. With this text I want to give an answere and solution to the questions, why antivirus-programs can detect even the best hidding techniques nowadays (metamorphism combined with permutation, full target integration and polymorphical encryption).

1) Why The Mental Driller was wrong

In 29a#6 'The Mental Driller' has released an article called "Metamorphism in practice" where he wrote in the conclusion:

Metamorphism: the strongest viric technique ever ideated, ever created.

There are two reasons why I think that we should focus on another mutating technique, in contrast to metamorphism:

The main reason: Even the theoretically best metamorphic virus is kind of static. In the first instance, of course, it can change the code of it's whole body. But in the second instance, the virus always does the same things - it has the same behaviour as it's n-1 generation. Moreover, all exchanges of the opcodes are manually programmed by the virus-author (which means, a theoretically perfect metamorphic virus can't be written with the current concept, as a viruswriter can not find all possible exchange-possibilities).

A further reason why this statement is wrong: This is more a social reason than a techniqual. Writing a metamorphic virus requires advanced knowlegde of assembler, CPU-functions (opcodes) and the file-format (wheter PE or ELF or something else). As we could have seen in previous years, most virus writers quitted before having that knowledge -> they have not written such complex viruses. Conclusion: It is just too complicated for being our best weapon against anti-virus programms.

To sum up: We need something better than metamophism, which is easier to create. Impossible? I don't think so...

2) Artificial Evolution

When an antivirus program analyses a file infected by a very complex metamorphic virus (say XXX), it still finds out, that the file is infected by XXX, even the new virus looks totally different as its n-1 generation. (->'<- means next, mutated generation):

(XXX)' = XXX -> ((XXX)')' = XXX ...

In my opinion, the only way to solve this fact is more or less total randomness. Not just in the first instance (the code itself) but also in the second instance (the behaviour).

I'm thinking about real artificial evolution. The code of the virus should change itself,not by analysing itself - but (more or less) totally random. This is exactly the same as nature does (because of mistakes) - and it's called evolution. In viruses, the main reason for this "evolution" should not be the improvement of itself, but the uncalculateable result of the random changes. The result of such changes:

(XXX)' <> XXX -> ((XXX)')' <> (XXX)' <> XXX

Antivirus researchers can not figure out wheter a virus is a new virus or a mutated version. First, this is a very big problem in the "war of virus number and names of viruses"; second, it will be a very big problem for analyser to decide wheter something IS a virus or not. And most important: Any variant could look different in the next version, impossible to recalculate, impossible to automatically detect all variants of a single virus.

3) More or less

Pure randomness not realistic, because most variants would fail. To avoid most variants to fail, techniques to reduce the amount of mis-mutations have to be used. As this field is new for viruses, good techniques must be developed (first theoretically, then for practice,of course). Two ways for avoiding mistakes already exist: SEH (Structured Exception Handling) can be used to catch mistakes; and virtual-machine-like behaviour could be used for testing the random generated variants. But I'm sure new ways to reduce mistakes will come to our minds...

4) Outro

In the game anti-virus-community versus virus-writing-community we can not score another important goal with the techniques nowadays. Therefor a new technique has to be used commonly. First encrypted viruses (AVs detected them), polymorphic viruses (AVs detected them), metamorphic viruses (AVs detected them, too). Now artificial evolution... In "Zmist Opportunities" Peter Ferrie and Peter Szor wrote: "'So, poly-encrypted permutated viral body is completely integrated with target file. Hmm ... check-mate?' Not this time, Zombie." - With this technique, we will be once again one step ahead of the anti virus researchers.

                                                  - - - - - - - - - - - - - - -
                                                    Second Part To Hell/[rRlf]  
                                                    [email protected]
                                                    written in August 2006

                                                    ...surrealistic viruswriter...
                                                  - - - - - - - - - - - - - - -
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka