1

I was reading about Metamorphic & polymorphic viruses ..

to what i understood ; they both uses mutation engines to avoid detection by anti-viruses, as the polymorphic encrypts\decrypts its code , and the metamorphic generates a logical equivalent code.

According to what i know , viruses are parasitic male-ware. i.e. it needs a host to produce copies of itself and cannot act independently like worms .

So my question is , during the virus's typical life cycle (infection - duplications- activating payload- etc ) , where is the mutation engine in all this ? And when a virus moves from its host to another PC what happens to the engine ? And what happens at the next host in the first cycle , how can it achieve its mutation ?

HSN
  • 1,218
  • 14
  • 23

2 Answers2

3

The mutation engine is contained in the virus body.

It is just another module of the virus. Viruses typically have a file scanning module, an infection module, a mutation module, a payload module and many others. On infection, the mutation module is used to mutate all of its modules and pass them to the infected host.

Mutation engines are mostly targeted by antivirus engines because they have typical behavior and are often used for multiple families of infector malware. They are targeted also because they are weekly mutated. That is because "mutating" the "mutator" can lead to bad "monster mutations" :)

Cristian Dobre
  • 9,897
  • 1
  • 32
  • 51
  • LOL "i like the monster mutation stuff :) " .. Thanks for the answer , but didn't we beat the whole point ? I mean , now the AV is hunting for the engine instead of the virus's signature , aren't we back to square zero again ?? – HSN Dec 30 '12 at 10:56
  • 1
    The mutation engine is part of the virus so from the AV point of view it is the virus. Most modern malware is hidden behind a layer of encryption so AV is targeting the decryption routines. A lot of packers, cryptors and protectors are detected by AV instead of the real malware payload.

    Some AVs look at the overall behavior of the binary file but by the time it was allowed to run in order to be observed, it may be already too late.

     – Cristian Dobre Dec 30 '12 at 11:08
  • Can you please recommend a good resource/textbook to read more about this topic ? – HSN Dec 30 '12 at 11:14
  • 2
    There has also been indications of server-side mutations recently.

    http://nakedsecurity.sophos.com/2012/07/31/server-side-polymorphism-malware/ http://www.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/news-stories/AndroidMalware.pdf

     – JZeolla Dec 31 '12 at 15:28
  • 1
    I have my knowledge from working in the antivirus industry so it's hard to recommend a textbook for this constantly changing subject.

    Here are resources addressing polymorphic malware in abstract and in particular. http://goo.gl/1PGTI http://goo.gl/01I0n http://goo.gl/5bp3a http://goo.gl/NbLgD http://goo.gl/HHFe3 http://goo.gl/tSc4r http://goo.gl/gD3yR http://goo.gl/VWhWO http://goo.gl/e6vYM http://goo.gl/sD1lO http://goo.gl/N64oi

    Slides: http://goo.gl/4DNTA http://goo.gl/cHT6G http://goo.gl/XWsgU http://goo.gl/YO8jS

    Practical: http://goo.gl/oq3Gy http://goo.gl/xvaw5 http://goo.gl/TEC2c

     – Cristian Dobre Jan 02 '13 at 10:56
1

I think things become a little more complex...As today every hosts hold sufficiently memory to let a big, very big virus install without making a big print on host's memory: While a server could work normally with 24Gb memory how mutch could use a virus before it will be statistically visible?

There is now enough space to hold a full C compiler, analytic engines and lot of packages, like upgrade engines (same as apt-get could do in Debian, for sample). Installed virus may now be upgraded to follow anti-virus developments and have appropriate reaction...

I think, (but don't have any proof ;), that new generation of polymorphic viruses could grown and become self-versonized by himself... (and maybe through some hidden repositories for authoritative upgrades).

Nota: Bandwidth are growing too, so with the help of a little of stegano (another package in virus installation) making upgrade could be strongly hidden too.

But... I'm (a little) paranoid and have a lot of imagination.

F. Hauri - Give Up GitHub
  • 4,266
  • 2
  • 22
  • 34
  • I think the scenario ur speaking about is closer to worms than viruses ....viruses are parasitic malware so on the same host you will find a copy in each infected file , so they cant start updating or they will be detected because the unusual traffic (imaging all the infected files are updating on a host) – HSN Dec 30 '12 at 11:33
  • 1
    Maintening registers like dns and use local connections whenever exists, clearly yes! Don't think hackers are stupids! If a good programmer team could build impressive so called intuitive OS, why did you think a good pirate team could not invent new generation of intuitive and evolutive viruses? (At all, a virus don't need to infect all files nor many, depending on how, why and what, only 1 file by host is sufficient) – F. Hauri - Give Up GitHub Dec 30 '12 at 11:55