Metamorphic virus carrying its own generator
Viruses and malwares are serious threats to the systems security. There are so many viruses available now a day that is has become difficult to provide a precise definition. Polymorphic and Metamorphic viruses are two commonly known kinds of viruses. Out of these two types, metamorphic viruses are difficult to detect as they change their structure at each mutation. Different variants of metamorphic viruses look very different from each other's.
Research on this topic reveals that there are many metamorphic generator kits available that simplifies the work of the computer virus writer's. There are also many packers and wrappers available that can be used on the top of the viruses.
In this project, we analyze different generators and try to find a solution to join a virus generator along with the virus code, to create a metamorphic virus. Related work, experimental results and analysis of the results are presented in this paper.
The attack of viruses has started since early 70's. From then there are lot of virus writers who try to create new types of viruses. There are different kinds of viruses namely polymorphic viruses, metamorphic viruses, worms, Trojan horses and malwares. Out of all these, metamorphic viruses are believed to be the most dangerous ones. Metamorphic viruses are very disastrous as they are very difficult to identify. There are many virus writers who now a day's prefer to write metamorphic viruses. This is because, even after spending months in writing a polymorphic virus, there are chances for a polymorphic virus to get detected. Nevertheless, this is not the case in metamorphic virus.
Till date, there is no such metamorphic virus that carries its own generator. If a virus carries its own generator then it will get more difficult to detect it. While it has not been developed yet, in my writing project I wish to develop a metamorphic virus that carries its generator along with it. If this is implemented successfully then, every copy of the virus produced will also have a generator. In this writing project I will explain the different types of viruses that are available and the kits that are used to generate metamorphic viruses.
2.0 Literature Review
2.1 Introduction to literature review
There are lot of articles, blogs and research papers that are written about the history and current trends of viruses. Few of the very useful papers related to my study are Analysis and detection of computer metamorphic virus, towards an undetectable computer virus, hunting for metamorphic and metamorphic virus: analysis and detection. In these research papers author either has created a metamorphic virus or has found a way to detect metamorphic viruses. Lot of information related to my project was available in these research papers.
2.2 History of viruses
Viruses have been in implementation since long time. Virus writers work hard to create viruses that are disastrous and undetectable. At the same time, antivirus developers strike hard to find solutions to detect viruses. Group of college students created the first virus. Those viruses were harmless. Generally, a computer virus will try to modify the host program to replicate itself. The host is modified to contain a copy of the malicious code. When the infected host id executed, it in turn starts infecting other objects in the system. Generally, computer virus is said to have the following modules.
Figure 1 shows a sample pseudo code of a simple virus. In this infect () will decide the way virus will spread. The trigger () will decide on how to deliver the payload and payload () will define the damage performed by the virus. This concept was very important for me to understand. After reading through the research paper "towards an undetectable computer virus", I got ideas to write a sample virus code. Previously to create a virus, a writer should extensively know assembly language. Now it is not necessary as even a novice person can create strains of previously available viruses with the help of mutation engines and virus creation kits. Each virus has their unique characteristics that are make them distinct from others.
2.3 Types of viruses
There are different types of computer viruses, few are standalone and few use internet to mitigate. Few of the types that I got familiar with while going through the paper "hunting for metamorphic engines" are listed below.
2.3.1 Encrypted viruses
The simplest way to change the virus look is by doing encryption. An encrypted virus is said to have two parts. One is the decryptor module and other is the encrypted body. The encryption key changes each time the virus mutates. This makes it difficult to detect. However, know a day's virus writers do not prefer to write such viruses as the virus scanners available now are capable enough to detect the encrypted viruses since the decryptor code is detectable.
2.3.2 Polymorphic viruses
The next types of viruses are the polymorphic viruses. This solves the previous problem as polymorphic viruses contain mutated decryptor. In this case, each copy of a polymorphic virus will contain a different copy of decryptor. This makes the polymorphic viruses difficult to detect by the virus scanners. Some polymorphic viruses carry a constant encrypted virus body and hence even polymorphic viruses are detectable. In polymorphic virus 90% of the code is the malicious code and the rest 10% is the encryption, decryption key or the polymorphic engine. From the research paper I found the following execution cycle of polymorphic virus
2.3.3 Metamorphic viruses
I then came across metamorphic viruses, which fascinated me, and hence I decided to create a metamorphic virus of my own. Metamorphic viruses are the most dangerous ones as they are not detectable and a user will not even know the presence of the virus in his system. The virus is successful in achieving it as it changes its structure each time it mutates and hence each copy of a metamorphic virus is different from the parent virus. To achieve the metamorphism, these viruses' uses few properties like code obfuscation techniques, junk code insertions, register renaming, permutation and unconditional jumps. The research paper "Metamorphic virus: analysis and detection" had lot of code samples that helped me to understand the properties of metamorphism well.
Evol is one of the more disastrous metamorphic viruses available until date. The morphing engine used in Evol virus uses garbage code insertion and simple code obfuscation techniques. A code snippet of the virus is as follows:
While reading various research papers and by going through the forums online, I realized that the metamorphic generators and metamorphic virus are very hard to create. To make this task simple there are few metamorphic generation kits that are readily available online. This makes the task much simpler.
It is believed that 80% of the metamorphic virus code contains the metamorphic engine and the rest 20% is the actual virus code. The metamorphic engine has to be best to produce the best virus. Here the term best refers to the undetectable.
2.4 Virus creation kits
There are several virus creation kits available online to make the virus writer's job easy. With the help of these kits, even a novice user can create a metamorphic virus. The kits are capable of creating mutating versions of viruses thus making them difficult to identify. Few of the best kits available are next generation virus creation kit, metamorphic mutation kits, second-generation virus generator, mass coded generator and virus creation kit. Out of all these, the next generation virus creation kit is considered the best. Lot of research study on this kit has proved that virus scanners have failed to detect the virus generated out of this kit.
The research paper "hunting for metamorphic engine" written by Wing Wong has lot of experiments that are done on the above listed virus generator kits. These experiments were very useful to me as they helped me decide on what kit to proceed with in my thesis. They gave me an idea of how viruses are really written and how can it be made more disastrous. The paper describes the metamorphic engine with the following parts
The disassembler converts the machine language code into assembly language. The shrinker uses code obfuscation techniques to change the original virus code into an equivalent code. The permuter will shuffle and permutate the garbage code and jump statements. The assembler will create the machine code of a new variant that will look different but will have the same functionality.
After reading through all the research papers written on viruses, it is seen clearly that metamorphic viruses rules the dark world. Most of the information provided in these papers are related to my thesis. They were very helpful for me to decide on how to proceed and to what should be given more priority. However, these research papers did not directly guide me with the type of metamorphic virus that I want to create. It has given me the base knowledge that I need to know about the generators and the viruses so that I can combine them both to produce the prototype of the virus that I want to create. My thesis will go about by inserting the generator into the virus.