User talk:Beleraphon

January 2010
Welcome to Wikipedia. Everyone is welcome to make constructive contributions to Wikipedia, but at least one of your recent edits, such as the one you made to Polymorphic virus, did not appear to be constructive and has been automatically reverted by ClueBot.
 * Please use the sandbox for any test edits you would like to make, and take a look at the welcome page to learn more about contributing to this encyclopedia. Note that human editors do monitor recent changes to Wikipedia articles, and administrators have the ability to block users from editing if they repeatedly engage in vandalism.
 * Cluebot produces very few false positives, but it does happen. If you believe the change you made should not have been detected as unconstructive, please report it here, remove this warning from your talk page, and then make the edit again.
 * The following is the log entry regarding this warning: Polymorphic virus was changed by Beleraphon (u) (t) blanking the page on 2010-01-18T14:51:21+00:00 . Thank you. ClueBot (talk) 14:51, 18 January 2010 (UTC)

Polymorphic Virus Information
Polymorphic Virus Information

In computer terminology, a polymorphic virus is program code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code in whole will not change at all. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence. [1]

Encryption is the most common method to hide code. With encryption, the main body of the code (also called payload) is encrypted, and will appear meaningless. For the code to function as before, a decryption function is also added to the code. When the code is executed this function reads the payload and decrypts it to the original function. When execution is reached to the payload everything will go as past.

Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair are mutated with each copy of the code. This allows different versions of some code while all function the same. [2]

Contents [hide] 1 Malicious code 2 Example 3 See also 4 References

[edit] Malicious code Most anti-virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.

Malicious programmers have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such malware.

The first known polymorphic virus was written by Mark Washburn. The virus, called 1260, was written in 1990. A more well-known polymorphic virus was invented in 1992 by the cracker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecter Virut. This virus can often require a full reformat of a computer's hard disk drive to get rid of it. However, an infection that hasn't completely made the system unusable MIGHT be able to be cured with a bootable anti-malware disk.

[edit] Example An algorithm that uses, for example, the variables A and B but not the variable C could stay intact even if you added lots of code that changed the contents of the variable C.

The original algorithm:

Start: GOTO Decryption_Code Encrypted: ...   lots of encrypted code ... Decryption_Code: A = Encrypted Loop: B = *A B = B XOR CryptoKey *A = B   A = A + 1 GOTO Loop IF NOT A = Decryption_Code GOTO Encrypted CryptoKey: some_random_number The same algorithm, but with lots of unnecessary C-altering code:

Start: GOTO Decryption_Code Encrypted: ...   lots of encrypted code ... Decryption_Code: C = C + 1 A = Encrypted Loop: B = *A C = 3214 * A   B = B XOR CryptoKey *A = B   C = 1 C = A + B   A = A + 1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number The encrypted code is the payload. To make different versions of the code, in each copy the garbage lines which manipulate C will change. The code inside "Encrypted" ("lots of encrypted code") can search the code between Decryption_Code and CryptoKey and remove all the code that alters the variable C. Before the next time the encryption engine is used, it could add new unnecessary code that alters C, or even exchange the code in the algorithm for new code that does the same thing. Usually the coder uses a zero key (for example; A xor 0 = A) for the first generation of the virus, making it easier for the coder because with this key the code is not encrypted. The coder then implements an incremental key algorithm or a random one.

[edit] See also Timeline of notable computer viruses and worms Metamorphic code Self-modifying code Alphanumeric code Shellcode Software cracking Security cracking Obfuscated code [edit] References Diomidis Spinellis. Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory, 49(1):280–284, January 2003. doi:10.1109/TIT.2002.806137 ^ Raghunathan, Srinivasan (2007). "Protecting anti-virus software under viral attacks". MS Thesis (Arizona state university). ^ Wong, Wing; Stamp M (2006). "Hunting for Metamorphic Engines". Journal in Computer Virology (Department of Computer Science San Jose State University).