A polymorphic virus ( or also called polymorphic code or polymorphism ) is a virus that through a polymorphic engine mutates itself while keeping its original algorithm intact
[ hide ]
- 1 Polymorphic virus
- 2 Transcript of 3A23 Camouflage: Polymorphic Mechanisms
- 1 Camouflage
- 3 Infection method
- 4 Sources
By definition, a polymorphic virus ( or also called polymorphic code or polymorphism ) is a virus that through a polymorphic engine mutates itself while keeping its original algorithm intact, that is, keeping its prescribed functionality intact. This technique is commonly used by computer viruses and worms to hide their presence. Many antivirus productsand intrusion detection systems attempt to locate malicious programs by searching computer files and packets sent over a computer network. If that software finds code patterns that match a known threat, they take the appropriate steps to neutralize that threat. Polymorphic algorithms make it difficult to detect such malicious code by constantly modifying it. In most cases, malicious viruses that use polymorphism techniques do so together with encryption techniques, in those cases the malicious programmer uses encryption to avoid the detection of most of the code, and polymorphism techniques to modify the routine itself. decryption.
3A23 Camouflage Transcript: Polymorphic Mechanisms
Polymorphic mechanisms It is a technique to prevent viruses from being detected, varying the copy encryption method . This forces antivirus to use heuristic techniques since as the virus changes with each infection it is impossible to locate it by searching for strings of code. This is achieved by using an encryption algorithm that makes things very difficult for antivirus. However, the entire virus code cannot be encoded, a part must always remain unmutatedthat takes control and that is the most vulnerable part of the antivirus. Polymorphic viruses contain mechanisms that allow them to change their appearance with each infection. Additionally, it can change or randomly disseminate scripts that are not required for the virus to function. Therefore, these viruses can result in billions of variations of the same virus. The use of traditional virus descriptions (also called signatures) is often not sufficient to reliably detect and remove encoded polymorphic viruses. Usually special programs have to be created. These viruses are also called “mutants” .
Polymorphic viruses work in the following way: They hide in a file and are loaded into memory when the infected file is executed. But unlike making an exact copy of themselves when they infect another file, they modify that copy to look different each time they infect a new file. Polymorphism is another of the capabilities of biological viruses applied to computer viruses . Famous virus writers, such as the Bulgarian known by the alias Dark Avenger, implemented polymorphic routines in their viruses. The polymorphism was achieved by encrypting the main code of the viruswith a non-constant key, using random sets of decryption, or using changing executable code with each run. These ways of making polymorphic code are the simplest; however, there are highly elaborate and exotic techniques. Polymorphism is nothing more than the ability to make more or less different copies of the original virus. This programming technique aims to make it more difficult to detect viruses, since antivirus software, to date (late 1980s , early 1990s ) looked for common hexadecimal patterns to detect viruses; upon encountering a polymorphic virus. 2 XOR 5 = 3 3 XOR 2 = 5 . In this case the key is number 9, but using a different key for each infection, a different encryption is obtained. Another way that is also widely used is to add a fixed number to each byte of the viral code.