VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
The Mental Driller «Metamorphism in practice or "How I made MetaPHOR and what I've learnt"» (39292)
Z0mbie «Automated reverse engineering: Mistfall engine» (23291)
P. Beaucamps «Advanced Metamorphic Techniques in Computer Viruses» (18175)
P. Ferrie, P. Ször «Hunting for metamorphic» (17060)
A. Walenstein, R. Mathur, M. Chouchane, A. Lakhotia «The Design Space of Metamorphic Malware» (15104)

Library: Metamorphism

Philippe Beaucamps
«Advanced Metamorphic Techniques in Computer Viruses» [TeX] [SRC] 65.42Kb 18175 hits
International Conference on Computer, Electrical, and Systems Science, and Engineering - CESSE'07 (2008)
Nowadays viruses use polymorphic techniques to mutate their code on each replication, thus evading detection by antiviruses. However detection by emulation can defeat simple polymorphism: thus metamorphic techniques are used which thoroughly change the viral code, even after decryption. We briefly detail this evolution of virus protection techniques against detection and then study the METAPHOR virus, today’s most advanced metamorphic virus.
Peter Ferrie, Péter Ször
«Hunting for metamorphic» [SRC] 54.54Kb 17060 hits
Virus Bulletin, Sep 2001, pp. 123-143 (2001)
As virus writers developed numerous polymorphic engines, virus scanners became stronger in their defense against them. A virus scanner which used a code emulator to detect viruses looked like it was on steroids compared to those without an emulator-based scanning engine.Nowadays, most polymorphic viruses are considered boring. Even though they can be extremely hard to detect, most of today's products are able to deal with them relatively easily. These are the scanners that survived the DOS polymorphic days. For some of the scanners DOS polymorphic viruses meant the `end of days'. Other scanners died with the macro virus problem. For most products the next challenge to take is 32-bit metamorphosis.Metamorphic viruses are nothing new. We have seen them in DOS days, though some of them, like ACG, already used 32-bit instructions. The next step is 32-bit metamorphosis under Windows environments. Virus writers already took the first step in that direction.In this paper the authors will examine metamorphic engines to provide a better general understanding of the problem that we are facing. The authors also provide detection examples of some of the metamorphic viruses.
«Recompiling the metamorphism» [SRC] 17.85Kb 8187 hits
Valhalla #2 (2012)
I am sure that using the advantages of high-level languages and compiler's theory would fulfill the potential hidden in metamorphism.
Myles Jordan
«Dealing with Metamorphism» 11.72Kb 14034 hits
Virus Bulletin, 1 Oct 2002 (2002)
When the virus writer known as z0mbie released Win95.Zmist.A in early 2001, much of the attention paid to this virus by the AV community was directed at its remarkable ability to intersperse its own code with that of its infection target. However, this virus also embodied the continuation of z0mbie's work on viral evolution towards metamorphism - a form of camouflage being developed by virus writers that is so potent and radically different from common encryption that AV scanners will soon need powerful new tools to confront this threat. This article will discuss one possible method that AV scanners could use to deal with metamorphism.
Arun Lakhotia, Moinuddin Mohammed
«Imposing Order on Program Statements to Assist Anti-Virus Scanners» 42.22Kb 13730 hits
In Proceedings of Eleventh Working Conference on Reverse Engineering, Delft, The Netherlands, November 2004, pp. 161-170. (2004)
A metamorphic virus applies semantics preserving transformations on itself to create a different variant before propagation. Metamorphic computer viruses thwart current anti-virus technologies that use signatures - a fixed sequence of bytes from a sample of a virus - since two variants of a metamorphic virus may not share the same signature. A method to impose an order on the statements and components of expressions of a program is presented. The method, called a "zeroing transformation," reduces the number of possible variants of a program created by reordering statement, reshaping expression, and renaming variable. On a collection of C program used for evaluation, the zeroing transformation reduced the space of program variants due to statement reordering from 10^183 to 10^20. Further reduction can be expected by undoing other transformations. Anti-virus technologies may be improved by extracting signatures from zero form of a virus, and not the original version.
Lord Julus
«Metamorphism» [SRC] 27.25Kb 11532 hits
29a [5] (2000)
This time the object of my study is metamorphism. I think this is the next step after polymorphism, a step that will reach coding up at a new level: the highest peak of self mutating, the biggest step toward perfect stealth, the best highway to the assembly heaven... If there exists something like that... Personally I think there's only a programmer's hell, because I'm sure that Windows is not allowed in Heaven...
«The Complete Re-write Engine» 13.48Kb 11867 hits
Final Chaos [1] (1999)
A form of metamorphism discussed in theory.
«Meta-Level Languages in Viruses» 9.45Kb 7416 hits
Valhalla #3 (2012)
In valhalla#2, March 2012, herm1t wrote a wonderful article about how to write a good metamorphic virus - a gamechanger [1]. He argued that the virus should be written in a high-level metalanguage such as C, and should be fully self-compiling (more about it in chapter 3)I got interested, and tried to understand how ancient metamorphic viruses handled their reconstruction in terms of meta-languages. Here you see a small non-complete collection of different ways to create a new obfuscated representation of the code. Then I show a small thought on high-level compilers - and what would be a wired case scenario.
«Metamorphism and Self-Compilation in JavaScript» [SRC] 17.84Kb 6539 hits
Valhalla #3 (2012)
Metamorphic script viruses have not been seen - until now. Here I show an implementation in JavaScript, which have been used in JS.Transcriptase. I explain the self-hosting compiler and the meta-level language and take a short look into the future.
«Some ideas to increase detection complexity» [SRC] 13.62Kb 8401 hits
Valhalla #1 (2011)
Here you'll find a few small ideas and thoughts about making detection of computerviruses harder. Thanks alot to herm1t and hh86 for discussion and asking the right questions.
The Mental Driller
«Metamorphism in practice or "How I made MetaPHOR and what I've learnt"» [SRC] 66.25Kb 39292 hits
29a [6] (2002)
Metamorphism is the art of extreme mutation. This means, we mutate everything in the code, not only a possible decryptor. Metamorphism was the natural evolution from polymorphism, which appeared to evade virus scanners. With metamorphism, the difficulty to detect a virus grows exponentially.Then, why aren't there more metamorphic viruses? Simple: they are extremely difficult to make, as I show in this article (not only for tech used, but for the many fux0ring problems we can when we code something like that). Anyway, we'll try to see here that maybe the important thing is to have the correct ideas (something that coders like Vecna, Z0MBiE and others had - hello! :).
Andrew Walenstein, Rachit Mathur, Mohamed Chouchane, Arun Lakhotia
«The Design Space of Metamorphic Malware» [TeX] 38.28Kb 15104 hits
Proceedings of the 2nd International Conference on Information Warfare, (Monterey, CA, U.S.A., Mar 8-9), 2007. (2007)
A design space is presented for metamorphic malware. Metamorphic malware is the class of malicious self-replicating programs that are able to transform their own code when replicating. The raison d'etre for metamorphism is to evade recognition by malware scanners; the transformations are meant to defeat analysis and decrease the number of constant patterns that may be used for recognition. Unlike prior treatments, the design space is organized according to the malware author's goals, options, and implications of design choice. The advantage of this design space structure is that it highlights forces acting on the malware author, which should help predict future developments in metamorphic engines and thus enable a proactive defence response from the community. In addition, the analysis provides effective nomenclature for classifying and comparing malware and scanners.
«About reversing» 13.78Kb 14136 hits
Reversing of executable files is the only base to write undetectable viruses.This is based on the following axiom: complexity C1 of detecting virus itself, when virus location is given, and complexity C2 of finding possible virus locations within infected objects, are different; and total complexity of detecting virus precence is a product of them, i.e. C1 * C2. Both complexities are interrelated; and both are limited by the object to be infected. This means that there exists some maximal complexity, which, when reached, will divide object and virus into different parts. As such, our task is to build optimal infection methods: when product of these complexities will be maximal, but not critically high, and thus only iteration-based detection methods will be effective.For example. Writing poly decryptor is good, but inserting it always into constant place, such as end of last section, is bad. Writing very big poly decryptor is bad in any case. Putting plain virus, into any place of the program, even into random place, is bad. So, the questions are: how much should be the virus polymorphic; in how many ways may it be inserted into file; and, because these two things are interrelated, where is the optimal combination.To find answers to these questions, virus must know everything about itself and about file to be infected. First part can be easily achieved; this was shown us in lots of metamorphic viruses. Second part is much harder, and this is also the subject of this article: how can virus to find out more information about the file it want to infect.
«Automated reverse engineering: Mistfall engine» [SRC] 15.43Kb 23291 hits
Matrix Zine [3] (2001)
Our efforts are directed to develop such method of executable program modification, that finding changes will require maximal amount of time. Modification means addition of the viral code to some specified program, given in the PE format. It is obvious, that main viral body should be encrypted, and metamorphic (generated) virus decryptor should be integrated with program's code.
«Data encoding in meta viruses» 7.35Kb 10983 hits
«Metamorphism (part 1)» [SRC] 30.38Kb 14396 hits
Matrix Zine [2] (2000)
«Metamorphism and permutation: feel the difference» 1.13Kb 9686 hits
«Some ideas about metamorphism» 5.41Kb 11692 hits
Not long ago appeared an idea about virus, consisting of only NOPs. Let we have such typical program, that its code (in different places, but consecutively) contains the same instructions, blocks of instructions or their functional variants, those can be used in some virus. Then, it will be enough to fill all other part of that program's code with NOPs, so all remaining instructions will become the virus itself. Thus, from viewpoint of performed midifications, virus will consist of only NOPs. This can be not only the simple program, but program with all its DLLs; moreover, we can insert not only NOPs, but lots of other garbage. In other words, standard infection by means of adding new instructions here changed into inverse operation, that removes unnecessary instructions. Of course, there will be troubls with constants; but if you're interested in, you will invent something.
11 authors, 18 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka