Advanced Polymorphic Techniques.pdf - adamas.ai

PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 25 NOVEMBER 2007 ISSN 1307-6884weakness is also the immutability of METAPHOR’smutation grammar.• METAPHOR’s mutation grammar is globally simple anddoes not use any sophihsticated obfuscation tricks – thisis by conception given that the virus wants to be ableto revert effects of mutation. In other words, using moreadvanced obfuscation techniques, possibly along with theaddition of metadata into the code (as is the case withMISS LEXOTAN – see section II-C), would lead to a virus,which would be much harder to detect (speaking of itsmere detectability as well as of the complexity of itsdetectability).• Except during decryption, METAPHOR does not protectitself from behaviour analysis.É. Filiol studies into more details some aspects of META-PHOR in [6], from a theoretical point of view, and mostnotably regarding the detection barrier on which METAPHORsits astride: if it mostly inclines towards detectability, somemodifications would be sufficient to have it incline towardsthe other side (see the POC virus PBMOT). To sum up,METAPHOR is a highly advanced virus, which could be reallydangerous with a few improvements (PBMOT certainly isthe most appropriate proof). Other advances, as on the fieldof functional polymorphism, would also give metamorphicviruses more sophisticated means of defence against detection.easy). In the same time, development of rootkit techniquesdraws away attention. Yet, both threats are real, with differentmaturities, but none of them should be overlooked. Eventhough the second one is mostly implemented in worms, whichcurrently represent the most important infectious threat, andeven though it is more technical than the first one, and thuswithin the means of more hackers.All in all, if virus writers were a bit less “in a hurry”and refined their techniques, the antiviral community could bequickly overtaken. An advanced use of syntactic and functionalpolymorphism techniques, combined with advanced stealthtechniques, would theoretically make the complexity of thedetection problem prohibitive or even undecidable [6] (POCvirus PBMOT).REFERENCES[1] John Aycock. Computer Viruses and Malware. Springer, 2006.[2] Philippe Beaucamps and Éric Filiol. On the possibility of practicallyobfuscating programs – towards a unified perspective of code protection.Journal in Computer Virology, 3(1), April 2007.[3] Fred Cohen. Computer viruses - theory and experiments, 1984.[4] Éric Filiol. Strong cryptography armoured computer viruses forbiddingcode analysis: the BRADLEY virus. In Proceedings of the 14th EICARconference, May 2004.[5] Éric Filiol. Computer viruses: from theory to applications. SpringerVerlag, 2005.[6] Éric Filiol. Advanced viral techniques. Springer Verlag France, 2007.An english translation is pending, due mid 2007.[7] Kharn. Exploring RDA. .aware eZine, 1, January 2007.IV. CONCLUSION[8] Mark Ludwig. Computer Viruses, Artificial Life and Evolution. AmericanEagle Publications, Inc., 1993.If polymorphic and above all metamorphic techniques describedin this document enable viruses to protect themselves Eagle Publications, Inc., 1995.[9] Mark Ludwig. The Giant Black Book of Computer Viruses. American[10] George Marsaglia. Xorshift RNGs. Journal of Statistical Software,in a more efficient way against detection, their sophistication 8(14), 2003.mostly stems from antiviral protection. For antiviral protection [11] The Mental Driller. METAPHOR source code. Version 1D available at:is in fact eternally submitted to two paradoxes:http://vx.netlux.org/src view.php?file=metaphor1d.zip.[12] The Mental Driller. TUAREG details and source code. Available in• The more it develops, the more viruses, worms and other 29A#5: http://vx.org.ua/29a/29A-5.html.malwares use advanced protection techniques which get [13] The Mental Driller. Advanced polymorphic engine construction. 29A,5, December 2000. Available at: http://vx.netlux.org/lib/vmd03.html.harder and harder to bypass. In a sense, it sentences [14] The Mental Driller. Metamorphism in practice or ”how i made METAitselfindirectly to its own impotence (wrt these advanced PHOR and what i’ve learnt”. 29A, 6, February 2002. Available at:techniques). Yet currently it still remains efficient, thanks http://vx.netlux.org/lib/vmd01.html.[15] MidNyte. An introduction to encryption, April 1999. Available at:to the mediocre quality of most malwares or to the complexityof the mentionned protection techniques, which [16] James Riordan and Bruce Schneier. Environmental key generationhttp://vx.netlux.org/lib/vmn{04,05,06}.html.discourages most malware writers.towards clueless agents. In Lecture Notes In Computer Science, volume1419, pages 15 – 24, 1998.• And secondly, if on one side the increase of RAM size [17] Alisa Shevchenko. The evolution of self-defense technologies inand CPU speed, as well as the upcoming of multi-core malware. Available at: http://www.net-security.org/article.php?id=1028,processors, seem to be in favour of antiviral protection, July 2007.[18] Diomidis Spinellis. Reliable identification of bounded-length viruses isit also enables malwares to use more and more complex NP-complete. IEEE Transactions on Information Theory, 49(1):280 –techniques, without having to worry about their cost. 284, January 2003.And this is all the more true as, as we told previously, [19] Peter Szor. The Art of Computer Virus Research and Defense. AddisonWesley Professional, 2005.antiviruses will always be limited in time and CPU cost,unlike malwares.Also, it should be noted that the state of the art of currentmetamorphic techniques (with viral protection purpose) isnot representative of the threat they represent. Some antiviralexperts sweep blatantly away – recently again [17] – this threat Philippe Beaucamps is a PhD student at the CNRS / LORIA in Nancy,on the pretext that it never actually proved itself except for France. He works on the modelization of viral infections, and on formal andpractical malware detection and protection.proving its own uselessness. And as a matter of fact, the history Contact address: Loria, Équipe Carte, B.P. 239, 54506 Vandoeuvre-lèsofmetamorphic viruses tends to corroborate this: there are few Nancy Cédex, Franceof them, most of which are poorly accomplished and containcritical flaws (bugs or conception flaws which make detectionPWASET VOLUME 25 NOVEMBER 2007 ISSN 1307-6884 411 © 2007 WASET.ORG